SSL_CTX ignores many X509_STORE fields and uses own fields

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_CTX ignores many X509_STORE fields and uses own fields

Daurnimator
When looking into https://github.com/wahern/luaossl/issues/140 I was
surprised to learn that an SSL_CTX* (and SSL*) does not use many of
the X509_STORE members.

e.g. a store has a X509_VERIFY_PARAMS field, however although an
SSL_CTX* has a related store, it ignores the store's params and uses
it's own.

For a connection pooling implementation, I need to check that an
existing SSL connection is something that could be approved by a given
SSL_CTX*.
I was hoping this would be as simple as doing (error handling omitted
for brevity):

    X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
SSL_get_certificate(ssl), NULL);
    X509_verify_cert(vfy_ctx);

However it appears that I really need to do:

    X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
SSL_get_certificate(ssl), NULL);
    X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(vfy_ctx),
SSL_CTX_get0_param(ctx));
    // X509_STORE_CTX_set_verify_cb based on SSL_CTX_get_verify_callback(ctx)
    // X509_STORE_CTX_set0_dane
    // etc. etc.
    X509_verify_cert(vfy_ctx);

Is this complexity warranted?
Is there any plan to remove the redundant fields?

Daurn.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX ignores many X509_STORE fields and uses own fields

Daurnimator
On 12 July 2018 at 18:49, Daurnimator <[hidden email]> wrote:

> When looking into https://github.com/wahern/luaossl/issues/140 I was
> surprised to learn that an SSL_CTX* (and SSL*) does not use many of
> the X509_STORE members.
>
> e.g. a store has a X509_VERIFY_PARAMS field, however although an
> SSL_CTX* has a related store, it ignores the store's params and uses
> it's own.
>
> For a connection pooling implementation, I need to check that an
> existing SSL connection is something that could be approved by a given
> SSL_CTX*.
> I was hoping this would be as simple as doing (error handling omitted
> for brevity):
>
>     X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
> SSL_get_certificate(ssl), NULL);
>     X509_verify_cert(vfy_ctx);
>
> However it appears that I really need to do:
>
>     X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
> SSL_get_certificate(ssl), NULL);
>     X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(vfy_ctx),
> SSL_CTX_get0_param(ctx));
>     // X509_STORE_CTX_set_verify_cb based on SSL_CTX_get_verify_callback(ctx)
>     // X509_STORE_CTX_set0_dane
>     // etc. etc.
>     X509_verify_cert(vfy_ctx);
>
> Is this complexity warranted?
> Is there any plan to remove the redundant fields?
>
> Daurn.

Has anyone had time to look into this?
I filed the related https://github.com/openssl/openssl/issues/6709
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX ignores many X509_STORE fields and uses own fields

Viktor Dukhovni
On Fri, Aug 17, 2018 at 11:25:01PM +1000, Daurnimator wrote:

> > When looking into https://github.com/wahern/luaossl/issues/140 I was
> > surprised to learn that an SSL_CTX* (and SSL*) does not use many of
> > the X509_STORE members.

There are no plans to change the design.  You can set the verification
store associated with the SSL_CTX via:

        SSL_CTX_set0_verify_cert_store(3)
    or
        SSL_CTX_set1_verify_cert_store(3)

do this early, before using the SSL_CTX to create SSL handles with
SSL_new().  Configure the store properties as you see fit.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX ignores many X509_STORE fields and uses own fields

Daurnimator
On 18 August 2018 at 03:18, Viktor Dukhovni <[hidden email]> wrote:

> On Fri, Aug 17, 2018 at 11:25:01PM +1000, Daurnimator wrote:
>
>> > When looking into https://github.com/wahern/luaossl/issues/140 I was
>> > surprised to learn that an SSL_CTX* (and SSL*) does not use many of
>> > the X509_STORE members.
>
> There are no plans to change the design.  You can set the verification
> store associated with the SSL_CTX via:
>
>         SSL_CTX_set0_verify_cert_store(3)
>     or
>         SSL_CTX_set1_verify_cert_store(3)
>
> do this early, before using the SSL_CTX to create SSL handles with
> SSL_new().  Configure the store properties as you see fit.


I understand the current design; but I'm left wondering why it has an
additional store member when VERIFY_PARAMS has the field there
already.
The design would seem to be much cleaner if all criteria for
verification are taken from a single object.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX ignores many X509_STORE fields and uses own fields

Viktor Dukhovni


> On Aug 17, 2018, at 10:52 PM, Daurnimator <[hidden email]> wrote:
>
> I understand the current design; but I'm left wondering why it has an
> additional store member when VERIFY_PARAMS has the field there
> already.
> The design would seem to be much cleaner if all criteria for
> verification are taken from a single object.

They are taken from a single object, the X509 store associated with
the SSL_CTX, which is used to verify the peer per SSL_CTX_set_verify().

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users