ssl_verify_peer() not called on CA mismatch of cert and key #275

Open
Zapotek opened this Issue Nov 2, 2011 · 3 comments

Projects

None yet

4 participants

@Zapotek
Zapotek commented Nov 2, 2011

Code: https://gist.github.com/1332896
Link to the PEM files required for it are found in the comment.

If the server is run as is, it produces the desirable output of:

client: Sending: Hi
client: VERIFY
client: VERIFY
server: VERIFY
server: VERIFY
server: VERIFY
server: Received: Hi 

However, if you alter it like so (so that the key and cert are from different CAs):

client_opts = {
    :ssl => {
        # :private_key_file => 'key.pem',
        :private_key_file => 'foo-key.pem',
        :cert_chain_file  => 'cert.pem',
        # :cert_chain_file  => 'foo-cert.pem',
    },
    :role => :client
} 

The script produces:

client: Sending: Hi
client: VERIFY
client: VERIFY
server: Received: Hi

Which means that ssl_verify_peer() is being bypassed and the request is being forwarded to receive_data() which should not have happened as it nullifies any sort of authN/authZ system that relies on SSL peer verification.

Contributor
ibc commented Nov 3, 2011

Strongly agreed.

I have the fix for it here: https://github.com/caiquanqing/eventmachine/tree/ssl_verify_peer-fix, I also submitted pull request 299</a.>

+1 needing it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment