This repository has been archived by the owner on Oct 23, 2024. It is now read-only.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current code fails to validate intermediate cert that has an expired root cert that is part of the trust store, example:
DST root ca
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/example, run the monitor against
letsencrypt.org
and the cert validation will fail, whereas it passes with openssl and chrome.The problem with the current logic is that it verifies every cert in the chain "independently", so when it reaches the last CA in the chain , in our example: "ISRG Root CA" , the verification func fails to build a chain > 0 with a cert from the trust store as the CA for ISRG is DST which is expired .
The other problem, the current logic does not count for certs with multiple intermediate chains.
I discussed this issue with @keitwb and we decided that it made sense to simply use the client to do the validation, as it covers all those corner cases.
I changed the code to count on
Handshake
to set the TLS stats@xp-1000 please take a look
Signed-off-by: Dani Louca dlouca@splunk.com