Incorrect version in self signed certificate #4007
Comments
|
@nbougalis Another one for you? |
|
Looks like this might have been the copy paste source :-) https://stackoverflow.com/questions/2883164/openssl-certificate-lacks-key-identifiers |
|
Simplest fix for this is to simply delete the erroneous line above and accept the default version ( https://www.openssl.org/docs/man3.0/man3/X509_set_version.html Perhaps this is a good lesson in checking return codes from C functions :-) Want a PR? |
|
Practically every x509 certificate out there has version 3, please use that if you fix this. |
|
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.1
To me, that reads like it should be |
|
Bear in mind that this is only for the self-signed certificate. not the one that can be specified in the configuration file. It is notable that a lot of return codes are ignored in this code section as well. |
Hngggghhhh... As the co-author of https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html this looks a bit... let's call it fast and loose. Yeah, version 1 or 2 might be possible too, but maybe eventually there's some more advanced TLS functionality used to secure P2P connections - then at least this is one place that doesn't need changing or that one needs to worry about. Version 13 (version values are one-off...) is definitely a bug though that should be fixed. |
When starting, the code generates a new ephemeral private key and a corresponding certificate to go along with it. This process can take time and, while this is unlikely to matter for normal server operations, it can have a significant impact for unit testing and development. Profiling data suggests that ~20% of the time needed for a unit test run can be attributed to this. This commit does several things: 1. It restructures the code so that a new self-signed certificate and its corresponding private key are only initialized once at startup; this has minimal impact on the operation of a regular server. 2. It provides new default DH parameters. This doesn't impact the security of the connection, but those who compile from scratch can generate new parameters if they so choose. 3. It properly sets the version number in the certificate, fixing issue XRPLF#4007; thanks to @donovanhide for the report. 4. It uses SHA-256 instead of SHA-1 as the hash algorithm for the certificate and adds some X.509 extensions as well as a random 128-bit serial number. 5. It rounds the certificate's "start of validity" period so that the server's precise startup time cannot be easily deduced and limits the validity period to two years, down from ten years. 6. It removes some CBC-based ciphers from the default cipher list to avoid some potential security issues, such as CVE-2016-2107 and CVE-2013-0169.
and others
https://github.com/ripple/rippled/blob/9d89d4c1885e13e3c0aa7cdb4a389c6fbfd3790a/src/ripple/basics/impl/make_SSLContext.cpp#L159
X.509 certificates can have a version number between 1 and 3 inclusive. The constant
NID_X509equals 12. The correct constants are one ofX509_VERSION_1,X509_VERSION_2orX509_VERSION_3. Maybe this is an ancient copy paste error? Anyway, it stops Go'scrypto\tlslibrary parsing the certificate, reporting aninvalid version.The text was updated successfully, but these errors were encountered: