Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rework tls internals #78

Merged
merged 4 commits into from
Dec 3, 2023
Merged

Rework tls internals #78

merged 4 commits into from
Dec 3, 2023

Conversation

jetmore
Copy link
Owner

@jetmore jetmore commented Dec 3, 2023

  • Reorganize TLS internals to make support easier
  • Switch method for getting peer certs, making debug way more reliable
  • Clean up the output when we print local and peer cert info, make it more compact and uniform

@jetmore
testing: fix/improve unmunge output from run-tests.pl
2ebb9de 
The goal of this action is to produce a copy/pastable version of the comand that was run for human debugging

bugfix: it did not properly preserve quoted arguments.  It turned "--pipe 'smtp-server.pl --arg 1 --foo 2'" into "--pipe smtp-server.pl --arg 1 --foo 2".  It now maintains the quoting
improvement: now adds backslashes and newlines after every option/arg pair to make it way easier to read
@jetmore
rework starttls internals into multiple methods
8fb17ca 
no logic changes, just breaking the starttls method into logical groupings to make it easier to work on
@jetmore
change how we get the list of peer certs used for debugging
1fce602 
Previously I saved copies of each cert I saw in the verify callback function.  This had all sorts of problems, including sometimes causing duplicates to appear, sometimes causing certs to appear that weren't presented (I think these were certs from the local CA, though this was not reliable enough to be useful), and getting different verification callbacks between macos/debian and freebsd, meaning testing wasn't working well on freebsd.

The solution is to skip getting the certs from verify and just get them directly from get_peer_cert_chain.  This is way, way more reliable and reproducible
@jetmore
reformat tls cert debug information
056ec2d 
  - remove notBefore
  - move notAfter, serverAltName, and commonName to one line
  - wrap all in [], get rid of spaces cushioning subjectAltName
  - change DN= to subject=, wrap it in [] instead of double quotes
  - use peer/local[0] regardless of whether there's more than one cert
@jetmore jetmore added this to the next (TLS) milestone Dec 3, 2023
@jetmore jetmore merged commit 9bb7e6f into develop Dec 3, 2023
@jetmore jetmore deleted the rework-tls-internals branch December 3, 2023 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v20240103.0 TLS and testing improvements
Development

Successfully merging this pull request may close these issues.
1 participant
@jetmore