Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: use X509_V_FLAG_TRUSTED_FIRST for tls #457

Closed
wants to merge 3 commits into from

Conversation

bnoordhuis
Copy link
Member

Tell OpenSSL to check the CA chain against the certificates in the
trusted store first.

It's possible to connect with https://bbuseruploads.s3.amazonaws.com/
again now, even though it uses a deprecated 1024 bits RSA certificate
in its CA chain.

R=@indutny, /cc @shigeki

Before merging this, I would like some discussion on whether X509_V_FLAG_TRUSTED_FIRST is really the best possible approach. I raised some questions about it here.

Cherry-pick the X509_V_FLAG_TRUSTED_FIRST patch from upstream OpenSSL.

This flag tells OpenSSL to check the CA chain against the trusted store
first.
This reverts commit 0926cb9.

This will be addressed by using the X509_V_FLAG_TRUSTED_FIRST flag
during verification.
Tell OpenSSL to check the CA chain against the certificates in the
trusted store first.

It's possible to connect with https://bbuseruploads.s3.amazonaws.com/
again now, even though it uses a deprecated 1024 bits RSA certificate
in its CA chain.
@indutny
Copy link
Member

indutny commented Jan 15, 2015

@bnoordhuis I'm kind of -1 on this. We already got a reply from OpenSSL dev team that this fix is kind of dangerous, because it is exposing timing of CA store lookup. Let's wait for reply from the OpenSSL before continuing with this.

@bnoordhuis
Copy link
Member Author

Ah, I do wish people would hit reply to all when answering a mailing list post, I didn't receive the reply. For posterity: http://www.mail-archive.com/openssl-dev@openssl.org/msg37892.html

@indutny
Copy link
Member

indutny commented Jan 16, 2015

Aaah, sorry. I didn't know that you wasn't in recipient list.

@shigeki
Copy link
Contributor

shigeki commented Jan 16, 2015

I also had a trouble to receive the openssl-dev mail last night. Seeing them, let's wait for a while. I've waited years for openssl-1.0.2 release to use ALPN.

@indutny
Copy link
Member

indutny commented Jan 16, 2015

@shigeki I have requested comments for my patch too, may be we could adapt it for our purposes somehow before 1.0.2 will see the true fix.

@shigeki
Copy link
Contributor

shigeki commented Jan 16, 2015

@indutny Indeed. Applying RT3621 is a good choice after reviewed. We should prepare to manage our private patches in deps/openssl not to forget to apply them in future updates.

@bnoordhuis
Copy link
Member Author

I'm closing this PR. We can continue the discussion in #402.

@bnoordhuis bnoordhuis closed this Jan 16, 2015
arronwoods pushed a commit to arronwoods/node that referenced this pull request Mar 4, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
nodejs#42171

Fixes: nodejs#457
Fix By: Brad House (@bradh352)
arronwoods pushed a commit to arronwoods/node that referenced this pull request Mar 4, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
nodejs#42171

Fixes: nodejs#457
Fix By: Brad House (@bradh352)
benjamingr pushed a commit that referenced this pull request Mar 13, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
#42171

Fixes: c-ares/c-ares#457
Fix By: Brad House (@bradh352)

PR-URL: #42216
Fixes: #42171
Fixes: #457
Refs: c-ares/c-ares#457
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
bengl pushed a commit that referenced this pull request Mar 21, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
#42171

Fixes: c-ares/c-ares#457
Fix By: Brad House (@bradh352)

PR-URL: #42216
Fixes: #42171
Fixes: #457
Refs: c-ares/c-ares#457
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
danielleadams pushed a commit to danielleadams/node that referenced this pull request Apr 21, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
nodejs#42171

Fixes: c-ares/c-ares#457
Fix By: Brad House (@bradh352)

PR-URL: nodejs#42216
Fixes: nodejs#42171
Fixes: nodejs#457
Refs: c-ares/c-ares#457
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
danielleadams pushed a commit that referenced this pull request Apr 24, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
#42171

Fixes: c-ares/c-ares#457
Fix By: Brad House (@bradh352)

PR-URL: #42216
Fixes: #42171
Fixes: #457
Refs: c-ares/c-ares#457
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
danielleadams pushed a commit that referenced this pull request Apr 24, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
#42171

Fixes: c-ares/c-ares#457
Fix By: Brad House (@bradh352)

PR-URL: #42216
Fixes: #42171
Fixes: #457
Refs: c-ares/c-ares#457
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
danielleadams pushed a commit that referenced this pull request Apr 24, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
#42171

Fixes: c-ares/c-ares#457
Fix By: Brad House (@bradh352)

PR-URL: #42216
Fixes: #42171
Fixes: #457
Refs: c-ares/c-ares#457
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
xtx1130 pushed a commit to xtx1130/node that referenced this pull request Apr 25, 2022
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
nodejs#42171

Fixes: c-ares/c-ares#457
Fix By: Brad House (@bradh352)

PR-URL: nodejs#42216
Fixes: nodejs#42171
Fixes: nodejs#457
Refs: c-ares/c-ares#457
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants