mbedtls_x509_crt_parse_path() fails to load the ca-bundle on Fedora #3005
Comments
|
Hi @jp-bennett Yes, it looks like a reasonable solution to me. Thank you for offering your help, please submit a PR to address this issue, we will be happy to take it. |
yanesca
added
enhancement
help-wanted
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes Mbed-TLS#3005. This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
|
@yanesca Submitted the PR. I may have noticed a related issue, also in mbedtls_x509_crt_parse_path() |
|
Thank you very much for your contribution! Indeed, that behaviour is not intended: the documentation of Thank you for catching this! Could you please open a new issue for this matter? |
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes Mbed-TLS#3005. This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes Mbed-TLS#3005. This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
|
@jp-bennett Thank you for reporting your findings! I am reopening this issue as #3008 and its backports need reverting. |
…development-2.16" This reverts commit 7550e85, reversing changes made to d0c2575. stat() will never return S_IFLNK as the file type, as stat() explicitly follows symlinks. Fixes Mbed-TLS#3005.
…development-2.7" This reverts commit 130e136, reversing changes made to 071b3e1. stat() will never return S_IFLNK as the file type, as stat() explicitly follows symlinks. Fixes Mbed-TLS#3005.
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes Mbed-TLS#3005. This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
…development-2.16" This reverts commit 7550e85, reversing changes made to d0c2575. stat() will never return S_IFLNK as the file type, as stat() explicitly follows symlinks. Fixes Mbed-TLS#3005.
Type: Bug
Possibly related to #2409. I've tracked down an issue in OBS on Fedora where RTMPS streams fail to authenticate. See: https://obsproject.com/forum/threads/unable-to-live-stream-to-facebook-live-over-rtmps.102849/
The root issue is that on Fedora, the ca-bundle in /etc/ssl/certs/ is a symlink, and mbedtls_x509_crt_parse_path() explicitly skips loading anything that isn't a regular file.
https://github.com/ARMmbed/mbedtls/blob/ccdeb47cdf0f4f070c7d48d46e5e098f025c005b/library/x509_crt.c#L1616
Line 1616 seems to be the issue. I don't know of any security problems with allowing symlinked bundles, so perhaps it should read:
if( !( S_ISREG( sb.st_mode ) || S_IFLNK( sb.st_mode ) ) )
If that seems like a reasonable solution, I can submit a patch, or feel free to just make the change, as it's trivial.
The text was updated successfully, but these errors were encountered: