-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Peer verification: ssl_verify_peer
does not support multiple CAs
#151
Comments
Thanks for the report, I will take a look |
I'm currently writing tests for a PR that I could be ready to submit pretty soon. I've been using the same code as a monkey-patch in the real world and it's working out well. |
That's great, thanks a lot! |
Fixed via #152 |
@wallyqs would there be a possibility to have a new release of the GEM that includes this fix sometime soon ? thanks |
yes will be doing a release this week |
Left the same comment in the PR: One small gotcha that we're finding with this, is that if the CAs in the CA file have the same SANs/CN, then OpenSSL::X509::Store add_file or the verification process seems to ignore the second CA with the same SAN. I'm working on a solution that either allows duplicates easily at the store level, or if openssl config is required. This PR still helps in the case where there are CAs with different SANs, which is very common anyways. @pivotal-jamil-shamy because we use the same SANs we'll need to figure out what the proper solution is. The PR is still useful for others without the same SANs. |
@h4xnoodle @pivotal-jamil-shamy new gem is published now with the changes: |
@wallyqs thank you ! |
Currently using 0.8.2
In the client here: https://github.com/nats-io/ruby-nats/blob/master/lib/nats/client.rb#L830, only the first pem found in
options[:tls][:ca_file]
is used forOpenSSL::X509::Certificate
. Therefore, only the first CA in a file of potentially more than one, is used to verify theincoming
cert here.I would also recommend that we use the
OpenSSL::X509::Store
to verify like so:For further context, a use case for this is certificate rotation. mTLS fails easily when more than one CA is not considered during the transitional stage.
The text was updated successfully, but these errors were encountered: