Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request for improved SSL server certificate verification #814

Open
sodabrew opened this issue Dec 7, 2017 · 1 comment
Open

Request for improved SSL server certificate verification #814

sodabrew opened this issue Dec 7, 2017 · 1 comment

Comments

@sodabrew
Copy link
Contributor

sodabrew commented Dec 7, 2017

From @SpComb on faye/faye-websocket-ruby#101 (comment)

I'm not entirely sure if this is the right PR/issue to discuss this on, but I can briefly summarize what EM support I think would be required for implementing SSL clients with server certificate verification,

Listed in terms of the exposed libssl APIs:

The ssl_verify_wrapper ignoring the preverify_ok parameter is the most blatantly broken part of the implementation, because this effectively bypasses all of the libssl certificate validation logic 👿

Based on my reading of the docs and issues like #275, I suspect this even includes very fundamental things like "the private key used to sign the session key matches the public key in the certificate".

I think the SSL_CTX_load_verify_locations + preverify_ok changes would be the bare minimum that would be required. These also match the changes dicussed/implemented in #378

Additional bonus points for:

SSL_get_verify_result + X509_verify_cert_error_string to allow the application to report more useful error messages than just "certificate verification failed"

Some convenience wrapper for the cert subject/hostname validation - ideally there should be some kind of secure: true/false boolean that doesn't require each client developer to research and write their own certificate verification wrappers for the vast majority of usecases

I think Ruby's OpenSSL::SSL.verify_certificate_identity can probably be used by applications together with the SSL_get_peer_certificate API, so it doesn't necessarily need to be part of EM itself.

@sodabrew
Copy link
Contributor Author

sodabrew commented Dec 12, 2017

No, sorry. The current versions do not offer complete cert verification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant