ServerTlsContext: allow disabling verify peer name#112
Conversation
Thomas-Gelf
force-pushed
the
fix/allow-to-verify-peer-wo-name
branch
2 times, most recently
from
b18d6ca to
1ff27dc
Compare
Motivation: servers accepting connections from trusted peers do not know the expected peer name in advance. Therefore, it must be possible to accept incoming connections (validating their client certificate) without being forced to specify an expected client name. You do not need this when using amphp/socket to run your very own public web server, but it is a requirement when running every other kind of service based on trusted client certificates (with more than one client). Similar (but not the same) use cases applies with clients, that should connect to trusted peers, w/o knowing their name in advance. This patch tries to address this, while preserving compatibility with the current behaviour.
Thomas-Gelf
force-pushed
the
fix/allow-to-verify-peer-wo-name
branch
from
1ff27dc to
ff30eac
Compare
|
Hint: with the last force-push I applied a similar patch for ClientTlsContext too. Faced this issue there too, and keeping them similar makes sense anyway. |
|
How does your setup look like? How are the certificates validated? |
|
Hi @kelunik, custom CA / trust store directory. Verify_peer rejects every connection not signed by a trusted CA. Peer names are not known at connection setup time, especially not on the server side - verify_peer_name is therefore a problem. Once verify_peer allowed connection setup, we grant dedicated permissions based on certificate subject/name or custom certificate extensions. Cheers, |
|
@kelunik: if you have related concerns/doubts or different opinions, please let me know |
|
@Thomas-Gelf Sorry for still not tagging a release, yet. Could you please have a look at 0169e97? If you think this is a good idea, I'll go ahead and tag a release. |
|
Hi @kelunik, what worries me is that with those changes the following lines would unexpectedly have a different outcome: $ctx->withoutPeerNameVerification()->withPeerVerification();
$ctx->withPeerVerification()->withoutPeerNameVerification();Your change might be related to my "magic" when asking for peer name verification state. My motivation was that there cannot be a name verification w/o peer verification for a Server. For clients this would also make no sense from a cryptographic point of view, but someone might argue that he is only interested in a pure string comparison to make sure, to not connect to the wrong server, while not knowing the related CA. And NO, personally I wouldn't do this. If you want to streamline Server and Client please feel free to remove some magic, but please do not introduce the change resulting in the behaviour shown above. In a completely "transparent" implementation (just wrapping context options), there isn't much to discuss, but as soon as we try to provide specific default behaviours and "good choices" on behalf of developers / users of this library, things get complicated quickly ;-) IMHO, in this context treating Client and Server differently is absolutely valid, if not required.
Hope this helps! Cheers, |
|
Thank you for the very detailed and fast response!
Indeed, that's why we didn't allow to change only verify peer name to begin with. $ctx->withoutPeerNameVerification()->withPeerVerification();
$ctx->withPeerVerification()->withoutPeerNameVerification();Regarding those two, what's your expectation vs. actual result? When I read those, the behavior I introduced seems the expected result IMO, but it has of course the downside of first having to decide on overall peer verification and then about the name. We could probably even make the choice based on whether a peer name is provided or not for clients? In the end, we also use mTLS at work with a custom CA and don't care about the peer names there. |
Sure, but the other way round, using verify_peer w/o verify_peer_name is an absolutely useful option in a Server context ;-)
I would expect both to result in
For Clients this would be a valid choice, yes. Someone out there might disagree, because of... reasons. However, this combination wasn't possible until now, and no one complained - so it would be fine I guess.
So that's probably why you discovered this PR again I guess 😅 |
If you sort these alphabetically there might always be unexpected changes. Some method might set multiple settings at once and then a later one change things. That's for example the case here, but I can imagine other cases, security level is an implicit one with similar effect. The good thing is, even if someone does it wrong, it will be secure and not leave a security hole. It just won't work. If I read these literally without having PHPs native options in mind, the result seems expected to me.
It's actually a completely different stack (Java), but yeah. I rediscovered it now due to a chat message. 😅 |
3 participants
Motivation: servers accepting connections from trusted peers do not know the expected peer name in advance. Therefore, it must be possible to accept incoming connections (validating their client certificate) without being forced to specify an expected client name.
You do not need this when using amphp/socket to run your very own public web server, but it is a requirement when running every other kind of service based on trusted client certificates (with more than one client).
This patch tries to address this, while preserving compatibility with the current behaviour.