Build failure due to MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION #23
Comments
|
Unfortunately mbedTLS is very blunt here: instead of checking unknown critical extensions at the point of use, it refuses to load any certificate with such extensions from a file or memory buffer, unless compiled with MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION. Therefore since TLS-ALPN-01 validation requires a new critical extension that mbedTLS does not know about: https://tools.ietf.org/html/rfc8737#section-6.1 you simply can not use ualpn with mbedTLS unless you build it with that option. You can exclude ualpn from the build by adding the --without-ualpn option to configure. On buildroot ualpn has its own enable menu option (disabled by default): https://git.buildroot.net/buildroot/tree/package/uacme/Config.in Do you think there is any value in adding a test in configure.ac to disable ualpn automatically unless mbedTLS is built with MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION? |
|
Thanks for the clarification, I think that you can let your code like this for now. I'll try to cook a patch to enable MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION in mbedtls/Config.in Then, I'll select this new option if mbedtls is enabled and BR2_PACKAGE_UACME_UALPN is set. I'll copy/paste your explanation in the Config.in so the user is aware of the potential security risk. I think that the best option for the end user. |
|
Ok, thanks. I'm closing the issue then, |
ualpn requires mbedTLS to be configured and built with MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION which is not the default and can be a security risk. Therefore make BR2_PACKAGE_UACME_UALPN depend on BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS. Fixes http://autobuild.buildroot.net/results/d241121f8155bad9b6b25c16234576abb7fc940b See also ndilieto/uacme#23 Mbed-TLS/mbedtls#3241 Mbed-TLS/mbedtls#3243 http://lists.busybox.net/pipermail/buildroot/2020-April/281059.html http://lists.busybox.net/pipermail/buildroot/2020-April/281108.html Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The mbedtls_x509_crt_parse_der_with_ext_cb function (available in mbedTLS 2.23.0 and later) allows parsing the "id-pe-acmeIdentifier" certificate extension without having to configure the deprecated MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION. Fixes #23 See also Mbed-TLS/mbedtls#3243
ualpn requires mbedTLS to be configured and built with MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION which is not the default and can be a security risk. Therefore make BR2_PACKAGE_UACME_UALPN depend on BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS. Fixes http://autobuild.buildroot.net/results/d241121f8155bad9b6b25c16234576abb7fc940b See also ndilieto/uacme#23 Mbed-TLS/mbedtls#3241 Mbed-TLS/mbedtls#3243 http://lists.busybox.net/pipermail/buildroot/2020-April/281059.html http://lists.busybox.net/pipermail/buildroot/2020-April/281108.html Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 96c3b52) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
@ndilieto in the end it's possible to use mbedtls for ualpn ? openwrt has now mbedtls-2.16.12 |
|
Yes, but you either need mbedtls version 2.23.0 or higher, or you must configure 2.16 with MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION |
|
thanks, I'll try to push for updated version |
Following the update to mbedTLS 2.28.0 in commit 0f8aab0, ualpn can work with mbedTLS without restrictions. References https://git.buildroot.net/buildroot/commit?id=96c3b52132b41716ca445b4c73a1a8886c26e5ee ndilieto/uacme#23 (comment) ndilieto/uacme@bbee626 Mbed-TLS/mbedtls#3243 Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Following the update to mbedTLS 2.28.0 in commit 0f8aab0, ualpn can work with mbedTLS without restrictions. References https://git.buildroot.net/buildroot/commit?id=96c3b52132b41716ca445b4c73a1a8886c26e5ee ndilieto/uacme#23 (comment) ndilieto/uacme@bbee626 Mbed-TLS/mbedtls#3243 Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Following the update to mbedTLS 2.28.0 in commit 0f8aab0, ualpn can work with mbedTLS without restrictions. References https://git.buildroot.net/buildroot/commit?id=96c3b52132b41716ca445b4c73a1a8886c26e5ee ndilieto/uacme#23 (comment) ndilieto/uacme@bbee626 Mbed-TLS/mbedtls#3243 Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6c7b469) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Following the update to mbedTLS 2.28.0 in commit 0f8aab0, ualpn can work with mbedTLS without restrictions. References https://git.buildroot.net/buildroot/commit?id=96c3b52132b41716ca445b4c73a1a8886c26e5ee ndilieto/uacme#23 (comment) ndilieto/uacme@bbee626 Mbed-TLS/mbedtls#3243 Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6c7b469) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit ae483af, build fails if
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSIONis not enabled on mbedtls.We can't enable this option on a system-wide mbedtls library as this would be a security risk. So what should we do (especially on buildroot?), should we disable UALPN with mbedtls?
The text was updated successfully, but these errors were encountered: