http: Skip hostname validation for OpenSSL < 1.0.2 #15
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I don't think silently omitting host name validation is a good idea. Even if the host doesn't have an OpenSSL version which supports it out of the box we shouldn't ignore origin host authentication since it leaves the implementation vulnerable to MITM attacks. I'd suggest adding an explicit compile-time flag such as |
When compiling with OpenSSL prior to 1.0.2 the following errors are
produced
src/http.c:280:5: warning: implicit declaration of function 'SSL_get0_param' [-Wimplicit-function-declaration]
...
src/http.c:281:5: warning: implicit declaration of function 'X509_VERIFY_PARAM_set1_host' [-Wimplicit-function-declaration]
These functions were only added in OpenSSL 1.0.2
Doing hostname validation prior to OpenSSL 1.0.2 is somewhat
convoluted[0], for this use case it's perhaps better to allow it to be
skipped when using OpenSSL older than 1.0.2
Add a check in the Makefile for the OpenSSL version and halt the build
and print a message saying what to do in such cases. E.g
$ make
***
*** OpenSSL too old (< 1.0.2)
***
*** If you are OK with skipping hostname validation then please build with
***
*** make OPENSSL_SKIP_HOST_VALIDATION=1
***
make: *** [Makefile:39: build_check] Error 1
this way the user is fully aware of what is happening...
[0]: https://wiki.openssl.org/index.php/Hostname_validation
ac000
force-pushed
the
skip_validate_host
branch
from
501476a
to
2e4a426
Compare
|
Fair enough. I've changed it so that we do a check in the Makefile and halt the build and print a message saying what to do when using OpenSSL < 1.0.2. Cheers, |
|
Looks good, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
ff-proxy is using some OpenSSL functions that were only introduced in 1.0.2, these are for doing hostname validation, While it can be done in OpenSSL prior ro 1.0.2, it's quite convoluted0
For this use case it's perhaps better to just skip it with OpenSSL older than 1.0.2
Hopefully this is the last of fixes needed for #9 (famous last words!).
Cheers,
Andrew