Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl_verify_peer() not called on CA mismatch of cert and key #275

Open
Zapotek opened this issue Nov 2, 2011 · 3 comments
Open

ssl_verify_peer() not called on CA mismatch of cert and key #275

Zapotek opened this issue Nov 2, 2011 · 3 comments
Labels

Comments

@Zapotek
Copy link

Zapotek commented Nov 2, 2011

Code: https://gist.github.com/1332896
Link to the PEM files required for it are found in the comment.

If the server is run as is, it produces the desirable output of:

client: Sending: Hi
client: VERIFY
client: VERIFY
server: VERIFY
server: VERIFY
server: VERIFY
server: Received: Hi 

However, if you alter it like so (so that the key and cert are from different CAs):

client_opts = {
    :ssl => {
        # :private_key_file => 'key.pem',
        :private_key_file => 'foo-key.pem',
        :cert_chain_file  => 'cert.pem',
        # :cert_chain_file  => 'foo-cert.pem',
    },
    :role => :client
} 

The script produces:

client: Sending: Hi
client: VERIFY
client: VERIFY
server: Received: Hi

Which means that ssl_verify_peer() is being bypassed and the request is being forwarded to receive_data() which should not have happened as it nullifies any sort of authN/authZ system that relies on SSL peer verification.

@ibc
Copy link
Contributor

ibc commented Nov 3, 2011

Strongly agreed.

@caiquanqing
Copy link

caiquanqing commented Feb 17, 2012

I have the fix for it here: https://github.com/caiquanqing/eventmachine/tree/ssl_verify_peer-fix, I also submitted pull request 299</a.>

@vpereira
Copy link

vpereira commented Mar 20, 2012

+1 needing it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants