[openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

Fedor Indutny
Hello!

During the course of deprecation of stale 1024bit CA certs,
node.js and io.js project teams have identified the problem with
how OpenSSL client handles the server's certificate chain. It is
quite evident that it ignores certificate store and loads issuer
from the chain that was received. This leads to the problems with
AWS and probably other service providers who sent the stale
**alternative** certificate chain with same serial numbers, but
1024bit CA certificates.

I have already tried proposing a solution to the OpenSSL team:


But one of the node.js contributors we have found this commit (from 2010):


The main question that I have is:

Is it safe to float this patch on top of 1.0.1k and use it? From
my knowledge of code it appears to be pretty harmless, however
the fact that it wasn't backported in 5 years makes me wonder if
it was considered safe after all.

Thank you,
Fedor.


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

Matt Caswell-2


On 15/01/15 14:13, Fedor Indutny wrote:

> Hello!
>
> During the course of deprecation of stale 1024bit CA certs,
> node.js and io.js project teams have identified the problem with
> how OpenSSL client handles the server's certificate chain. It is
> quite evident that it ignores certificate store and loads issuer
> from the chain that was received. This leads to the problems with
> AWS and probably other service providers who sent the stale
> **alternative** certificate chain with same serial numbers, but
> 1024bit CA certificates.
>
> I have already tried proposing a solution to the OpenSSL team:
>
> https://www.mail-archive.com/openssl-dev@.../msg37721.html
>
> But one of the node.js contributors we have found this commit (from 2010):
>
> https://github.com/openssl/openssl/commit/db28aa86e00b9121bee94d1e65506bf22d5ca6e3
>
> The main question that I have is:
>
> Is it safe to float this patch on top of 1.0.1k and use it? From
> my knowledge of code it appears to be pretty harmless, however
> the fact that it wasn't backported in 5 years makes me wonder if
> it was considered safe after all.

There are some concerns about the performance of trusted_first.
Successful certificate look ups are cached, whilst failed ones are not.
Therefore using trusted_first *could* have an adverse impact.

This issue is currently under discussion within the dev team. I have an
alternative patch that addresses the same issue in a different way.
Essentially it works in a similar way to that which you proposed in
RT3637. However I have some issues with that patch, so I've done it
slightly differently.

RT3621 is also relevant here.

Matt

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

Matt Caswell-2


On 15/01/15 14:21, Matt Caswell wrote:

>
>
> On 15/01/15 14:13, Fedor Indutny wrote:
>> Hello!
>>
>> During the course of deprecation of stale 1024bit CA certs,
>> node.js and io.js project teams have identified the problem with
>> how OpenSSL client handles the server's certificate chain. It is
>> quite evident that it ignores certificate store and loads issuer
>> from the chain that was received. This leads to the problems with
>> AWS and probably other service providers who sent the stale
>> **alternative** certificate chain with same serial numbers, but
>> 1024bit CA certificates.
>>
>> I have already tried proposing a solution to the OpenSSL team:
>>
>> https://www.mail-archive.com/openssl-dev@.../msg37721.html
>>
>> But one of the node.js contributors we have found this commit (from 2010):
>>
>> https://github.com/openssl/openssl/commit/db28aa86e00b9121bee94d1e65506bf22d5ca6e3
>>
>> The main question that I have is:
>>
>> Is it safe to float this patch on top of 1.0.1k and use it? From
>> my knowledge of code it appears to be pretty harmless, however
>> the fact that it wasn't backported in 5 years makes me wonder if
>> it was considered safe after all.
>
> There are some concerns about the performance of trusted_first.
> Successful certificate look ups are cached, whilst failed ones are not.
> Therefore using trusted_first *could* have an adverse impact.
>
> This issue is currently under discussion within the dev team. I have an
> alternative patch that addresses the same issue in a different way.
> Essentially it works in a similar way to that which you proposed in
> RT3637. However I have some issues with that patch, so I've done it
> slightly differently.
>
> RT3621 is also relevant here.

I should add that in any case this functionality would never be
backported to 1.0.1 (only considered for future versions). 1.0.1 is a
stable release and only sees bug fixes. This would be considered a
feature and a significant change to the way certificates are verified.

Matt

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

Fedor Indutny
Matt,

Thank you for reply.

May I ask you when do you think your patch may land in 1.0.2 or whatever?

If this is something of your long term goals and not going to land anywhere soon. Could you please tell me about issues in my patch (either privately or in publiс)?

Thank you again,
Fedor.

On Thursday, January 15, 2015, Matt Caswell <[hidden email]> wrote:


On 15/01/15 14:21, Matt Caswell wrote:
>
>
> On 15/01/15 14:13, Fedor Indutny wrote:
>> Hello!
>>
>> During the course of deprecation of stale 1024bit CA certs,
>> node.js and io.js project teams have identified the problem with
>> how OpenSSL client handles the server's certificate chain. It is
>> quite evident that it ignores certificate store and loads issuer
>> from the chain that was received. This leads to the problems with
>> AWS and probably other service providers who sent the stale
>> **alternative** certificate chain with same serial numbers, but
>> 1024bit CA certificates.
>>
>> I have already tried proposing a solution to the OpenSSL team:
>>
>> https://www.mail-archive.com/openssl-dev@.../msg37721.html
>>
>> But one of the node.js contributors we have found this commit (from 2010):
>>
>> https://github.com/openssl/openssl/commit/db28aa86e00b9121bee94d1e65506bf22d5ca6e3
>>
>> The main question that I have is:
>>
>> Is it safe to float this patch on top of 1.0.1k and use it? From
>> my knowledge of code it appears to be pretty harmless, however
>> the fact that it wasn't backported in 5 years makes me wonder if
>> it was considered safe after all.
>
> There are some concerns about the performance of trusted_first.
> Successful certificate look ups are cached, whilst failed ones are not.
> Therefore using trusted_first *could* have an adverse impact.
>
> This issue is currently under discussion within the dev team. I have an
> alternative patch that addresses the same issue in a different way.
> Essentially it works in a similar way to that which you proposed in
> RT3637. However I have some issues with that patch, so I've done it
> slightly differently.
>
> RT3621 is also relevant here.

I should add that in any case this functionality would never be
backported to 1.0.1 (only considered for future versions). 1.0.1 is a
stable release and only sees bug fixes. This would be considered a
feature and a significant change to the way certificates are verified.

Matt

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

Matt Caswell-2


On 15/01/15 17:06, Fedor Indutny wrote:
> Matt,
>
> Thank you for reply.
>
> May I ask you when do you think your patch may land in 1.0.2 or whatever?
>
> If this is something of your long term goals and not going to land
> anywhere soon. Could you please tell me about issues in my patch (either
> privately or in publiс)?

My apologies for the delayed response. Things went a bit mad for a while
with releases and the source code reformat, and I completely forgot
about this email :-(

I am hoping my patch will land in master (which means 1.1.0...aiming for
an end of year release).

I will add some notes to your RT ticket regarding your patch.

You can see my draft patch here:
https://github.com/mattcaswell/openssl/commits/late-check-trusted-v2

This is still going through review so may change.

Matt
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

Fedor Indutny
Thank you!

On Tue, Jan 27, 2015 at 6:02 PM, Matt Caswell <[hidden email]> wrote:


On 15/01/15 17:06, Fedor Indutny wrote:
> Matt,
>
> Thank you for reply.
>
> May I ask you when do you think your patch may land in 1.0.2 or whatever?
>
> If this is something of your long term goals and not going to land
> anywhere soon. Could you please tell me about issues in my patch (either
> privately or in publiс)?

My apologies for the delayed response. Things went a bit mad for a while
with releases and the source code reformat, and I completely forgot
about this email :-(

I am hoping my patch will land in master (which means 1.1.0...aiming for
an end of year release).

I will add some notes to your RT ticket regarding your patch.

You can see my draft patch here:
https://github.com/mattcaswell/openssl/commits/late-check-trusted-v2

This is still going through review so may change.

Matt
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev