-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: use X509_V_FLAG_TRUSTED_FIRST for tls #457
Conversation
Cherry-pick the X509_V_FLAG_TRUSTED_FIRST patch from upstream OpenSSL. This flag tells OpenSSL to check the CA chain against the trusted store first.
This reverts commit 0926cb9. This will be addressed by using the X509_V_FLAG_TRUSTED_FIRST flag during verification.
Tell OpenSSL to check the CA chain against the certificates in the trusted store first. It's possible to connect with https://bbuseruploads.s3.amazonaws.com/ again now, even though it uses a deprecated 1024 bits RSA certificate in its CA chain.
@bnoordhuis I'm kind of -1 on this. We already got a reply from OpenSSL dev team that this fix is kind of dangerous, because it is exposing timing of CA store lookup. Let's wait for reply from the OpenSSL before continuing with this. |
Ah, I do wish people would hit reply to all when answering a mailing list post, I didn't receive the reply. For posterity: http://www.mail-archive.com/openssl-dev@openssl.org/msg37892.html |
Aaah, sorry. I didn't know that you wasn't in recipient list. |
I also had a trouble to receive the openssl-dev mail last night. Seeing them, let's wait for a while. I've waited years for openssl-1.0.2 release to use ALPN. |
@shigeki I have requested comments for my patch too, may be we could adapt it for our purposes somehow before 1.0.2 will see the true fix. |
@indutny Indeed. Applying RT3621 is a good choice after reviewed. We should prepare to manage our private patches in deps/openssl not to forget to apply them in future updates. |
I'm closing this PR. We can continue the discussion in #402. |
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per nodejs#42171 Fixes: nodejs#457 Fix By: Brad House (@bradh352)
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per nodejs#42171 Fixes: nodejs#457 Fix By: Brad House (@bradh352)
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per #42171 Fixes: c-ares/c-ares#457 Fix By: Brad House (@bradh352) PR-URL: #42216 Fixes: #42171 Fixes: #457 Refs: c-ares/c-ares#457 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com>
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per #42171 Fixes: c-ares/c-ares#457 Fix By: Brad House (@bradh352) PR-URL: #42216 Fixes: #42171 Fixes: #457 Refs: c-ares/c-ares#457 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com>
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per nodejs#42171 Fixes: c-ares/c-ares#457 Fix By: Brad House (@bradh352) PR-URL: nodejs#42216 Fixes: nodejs#42171 Fixes: nodejs#457 Refs: c-ares/c-ares#457 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com>
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per #42171 Fixes: c-ares/c-ares#457 Fix By: Brad House (@bradh352) PR-URL: #42216 Fixes: #42171 Fixes: #457 Refs: c-ares/c-ares#457 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com>
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per #42171 Fixes: c-ares/c-ares#457 Fix By: Brad House (@bradh352) PR-URL: #42216 Fixes: #42171 Fixes: #457 Refs: c-ares/c-ares#457 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com>
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per #42171 Fixes: c-ares/c-ares#457 Fix By: Brad House (@bradh352) PR-URL: #42216 Fixes: #42171 Fixes: #457 Refs: c-ares/c-ares#457 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com>
Original commit message: Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains CloudFlare appears to use this logic in CNAMEs as per nodejs#42171 Fixes: c-ares/c-ares#457 Fix By: Brad House (@bradh352) PR-URL: nodejs#42216 Fixes: nodejs#42171 Fixes: nodejs#457 Refs: c-ares/c-ares#457 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com>
Tell OpenSSL to check the CA chain against the certificates in the
trusted store first.
It's possible to connect with https://bbuseruploads.s3.amazonaws.com/
again now, even though it uses a deprecated 1024 bits RSA certificate
in its CA chain.
R=@indutny, /cc @shigeki
Before merging this, I would like some discussion on whether X509_V_FLAG_TRUSTED_FIRST is really the best possible approach. I raised some questions about it here.