New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[icloud] dynamic certificates #6937
[icloud] dynamic certificates #6937
Conversation
Travis tests have failedHey @hoeckxer, 2nd BuildExpand here
|
First of all, thanks for PR and I know this issue is huge problem for the users (I'm using it as well). I think we should consider automatic certification renewal twice as it's a security flaw. Binding will automatically trust all server certificates, so it doesn't prevent "man in the middle" attacks anymore (user iCloud credentials could be sent to 3rd party). At least feature should be configurable option and user could enable this feature by knowing consequences. |
Travis tests were successfulHey @hoeckxer, |
…uginManagement secition (openhab#6867) Signed-off-by: Arne Seime <arne.seime@gmail.com> Signed-off-by: hoeckxer <hawkeyenl@yahoo.com>
Signed-off-by: hoeckxer <hawkeyenl@yahoo.com>
…om icloud server when necessary Signed-off-by: hoeckxer <hawkeyenl@yahoo.com>
Signed-off-by: hoeckxer <hawkeyenl@yahoo.com>
…face. Changed certification persistence name for clarity Signed-off-by: hoeckxer <hawkeyenl@yahoo.com>
Signed-off-by: hoeckxer <hawkeyenl@yahoo.com>
Signed-off-by: hoeckxer <hawkeyenl@yahoo.com>
dd954e8
to
0e87d17
Compare
That is my concern as well (as mentioned), but on the other hand nobody is checking the certificates that were installed over the past year as far as I've heard. I could make the dynamic retrieval configurable; in that case people can still actively update the certificate themselves by updating the used .crt file, or they can decide if they want to allow the dynamic retrieval. They could also simple flip the switch when it stops working, and disable it again after the certificate has been renewed. However, I somehow feel that that's a bit of quite specific configuration for the average user? |
Travis tests were successfulHey @hoeckxer, |
…hakeException occurs Signed-off-by: Erwin Hoeckx <hawkeyenl@yahoo.com>
Travis tests were successfulHey @hoeckxer, |
Doesn’t it use the same root certificate? I thought the root certificate has a very long validity. And the time I included i of course validated the correctness before creating a PR. I would be really happy to have resolved but agree that the current implementation imposes a security issue. Did you look into using the root certificate or can you look into it. Thanks for your efforts! |
Certificate in binding bundle seems to be the server certificate itself, not Root CA or Apple sub CA what it should be. iCloud binding should trust all certificates issued by Apple Root CA or at least Apple Server authentication CA, right? I understand initially that Apple CA certificate has been changed, but is the reason just that server certificate has been changed? |
Maybe it has been replaced with a wrong certificate? I think we should not use a trust-all for external connections where important credentials are used. |
The first time I worked on it it failed when I tried to use the the root certificate. I did not investigate that much further later on. |
The first time it broke down was because they switched from a normal certificate signed by a known CA to the self signed. After that I was not able to get it working using the Root / apple ca certificate so ended up using the server certificate planning to refresh it once per year however it feels that it is now more than once per year. And of course a dynamic solution is preferable! So thanks again for bringing this up and sketching out a possible solution |
Thanks for the feedback. I'm happy to investigate if we can check the root certificate, I agree that we shouldn't allow all certificates. I need some time to dive into it, I'll report back when I've got an answer. |
@martinvw I can work it out no problem, but thanks :) |
Please see here: https://community.openhab.org/t/icloud-ssl-issue-again/79182/187?u=maihacke |
…ed root certificate Signed-off-by: Erwin Hoeckx <hawkeyenl@yahoo.com>
Travis tests were successfulHey @hoeckxer, |
I updated the code so that it verifies the presented certificate up the certificate chain up to the root CA certificate, which is included in the bundle. I'm intrigued by @maihacke 's solution though; can you expand on if you included the server CA certificate, or the root certificate? @martinvw do you know what protocol was used when you were trying to implement the root certificate check? I've been digging a bit, and I think TLS1.2 mandates the certification path to be sent (the intermediary certificates) so that it should be able to check with just the root certificate on the client side. Food for thought on how to move forward; we can see if the existing 2.5 code base works with just replacing the certificate with the root certificate, or we can go with the dynamic route, which now also automatically verifies the certification path. If it works with just updating the certificate to the root certificate, I think we should do that as the code is simpler and drop this pull request? |
@hoeckxer The certificate chain for the fmipmobile service contains at least three certificates. The first is issued for fmipmobileX.apple.com. This certificate was included in the bundle before my change. |
I would prefer including the required certificates in the bundle and not go for a solution which downloads certificates by itself. |
@maihacke using the CA certificate Apple Server Authentication CA is actually just as unsafe, as this certificate is included in the response sent by the server. This means that this certificate can be mimicked by hackers just as easily. The correct approach I think now is to provide the only certificate in the chain that is not sent by the server (these can be hacked after all), which is Apple's Root CA certificate. This is the only certificate that cannot be hacked remotely, and thereby provides a correct verification. I've made this change on a new branch, which seems to work just fine. I've created pull request #6948 for this new change. As far as I'm concerned this is the right way to go, and we should abandon this pull request (unless we run into serious issues with the other change, but I don't think so). |
No that is not correct. An attacker could not create a certificate matching the hosts DNS name. The JVMs trustmanager checks that the certificate is issued for the correct DNS and is signed by a trusted CA. For that the attacker would need the private key of Apples CA cert. |
See #6948 |
@maihacke using the server certificate in the binding would indeed work to check against, I misinterpreted my expectations. This would provide a longer valid certificate and a working binding. While we're at it I think it would be better though to use the root certificate to check against, as this is valid for an even longer period. |
As apple is frequently (increasingly) updating the certificate on the server-side, users are more often confronted with a non-functioning iCloud binding.
One of the issues here is that the certificate that is used to verify the server (SSL handshake) is stored statically in the codebase. This means that every time the certificate is changed, a new certificate needs to be included in the codebase (with all the work that comes with it).
This pull request changes the code so that it dynamically retrieves the certificate from the server when needed. The only loophole is that there is no check on the client-side that it's the correct certificate. On the other hand, from what I could tell from the last couple of manual updates, this wasn't being done anyway. If needed, this can be achieved in the future by using a specialised trustmanager to verify the certificate is issues by a trusted party.
With this PR, the binding now works as following with regards to certificates:
Please note that I've also added some extra logging, and cleaned up some minor things.
Any suggestions on how the code needs to be improved would be good. I've asked users to try out the snapshot https://drive.google.com/open?id=1qoNP4PlFAcAwtu9w9ydYwtJSdMymkzV7 in thread https://community.openhab.org/t/icloud-ssl-issue-again/79182/157. So far reports seem to be positive.