Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl+quiche with HTTP/3 silently ignores certificate problems #8173

Closed
bagder opened this issue Dec 21, 2021 · 5 comments
Closed

curl+quiche with HTTP/3 silently ignores certificate problems #8173

bagder opened this issue Dec 21, 2021 · 5 comments
Assignees
Labels
HTTP/3

Comments

@bagder
Copy link
Member

@bagder bagder commented Dec 21, 2021

I did this

  1. I start a test h3 server locally. In my case I run nghttpx with h3 abilities, using a cert + key from curl's test directory.
  2. This cert is not signed by any CA in my system CA store
  3. I run curl against this server to download a resource: ./curl --http3 https://localhost:9443/8GB -o /dev/null
  4. This works fine!

I expected the following

It should have failed and required -k or a suitable --cacert line.

curl/libcurl version

curl from current git. It works similarly using either/both HTTP/3 backends.

operating system

Tested on Linux but the code is platform independent.

@bagder bagder added the HTTP/3 label Dec 21, 2021
@bagder
Copy link
Member Author

@bagder bagder commented Dec 22, 2021

@tatsuhiro-t can you point out which ngtcp2 functions I should look closer on to fix this?

@ghedo can you point out which quiche functions I should look closer on to fix this?

@tatsuhiro-t
Copy link
Contributor

@tatsuhiro-t tatsuhiro-t commented Dec 22, 2021

Usual OpenSSL SSL_CTX or SSL setup is required here for ngtcp2 build.
I think something like

curl/lib/vtls/openssl.c

Lines 3181 to 3182 in 2c1dbc1

SSL_CTX_set_verify(backend->ctx,
verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
will fix this issue.

@bagder
Copy link
Member Author

@bagder bagder commented Dec 22, 2021

Thanks @tatsuhiro-t, that seems to fix the verification of the signatures for the OpenSSL branch. But I then also need to verify the CN and subjectAltName fields like we do with servercert for TCP+TLS at

static CURLcode servercert(struct Curl_easy *data,

I figure that needs to be done after the handshake is completed so that we can get the peer cert using the API.

@bagder
Copy link
Member Author

@bagder bagder commented Dec 23, 2021

Half the check (missing the name check) is done for ngtcp2+quictls in #8178

bagder added a commit that referenced this issue Dec 25, 2021
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.

The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.

Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.

Ref: #8173
bagder added a commit that referenced this issue Dec 25, 2021
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.

The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.

Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.

Ref: #8173
bagder added a commit that referenced this issue Dec 28, 2021
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.

The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.

Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.

Ref: #8173
Closes #8178
@bagder
Copy link
Member Author

@bagder bagder commented Dec 28, 2021

This problem is now fixed in master (8fbd6fe) for the ngtcp2 backend.

@bagder bagder changed the title curl with HTTP/3 silently ignores certificate problems curl+quiche with HTTP/3 silently ignores certificate problems Jan 1, 2022
@bagder bagder self-assigned this Jan 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
HTTP/3
Projects
None yet
Development

No branches or pull requests

3 participants
@bagder @tatsuhiro-t and others