New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ambiguous use of SSL_CERT_DIR #18068
Comments
This looks like a good plan. However the third thing would be something to backport as a bug fix and we should IMO backport it. |
Two notes:
|
There is one more thing. The |
Perhaps just anything that has |
|
The existing code expects Do we want a PR to allow the new
Makes sense. Any suggestions for a better name? |
Fixes openssl#18068. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#18070)
Fixes openssl#18068. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#18070)
Currently, the
SSL_CERT_DIR
environment variable is used to specify the default location both forX509_LOOKUP_hash_dir()
as well asX509_LOOKUP_store()
.However,
X509_LOOKUP_hash_dir()
interprets the value as a path delimiter-separated list of paths, whereasX509_LOOKUP_store()
interprets this value as a URI.This means that if you specify e.g.
file:///etc/ssl/certs
, and setup both path and store lookups (for example by callingX509_STORE_set_default_paths
), at first a directory lookup is attempted in the directory./file
relative to the current working directory, followed by the directory///etc/ssl/certs
. Then thefile
store provider will subsequently handle it as a supported URL.This seems bizarre and was probably not intended. It may also be a slight security concern; e.g. if an environment sets
SSL_CERT_DIR=somestoreprovider://foo
, if an attacker can cause someone to use OpenSSL in a directory containing a directory namedsomestoreprovider
under the attacker's control, the attacker could add certificates they control to the trusted list.I suggest we resolve this by:
SSL_CERT_URI
preferred for all future usageSSL_CERT_URI
is set, the store lookup method will not checkSSL_CERT_DIR
SSL_CERT_DIR
looks like an URL (^([a-zA-Z0-9-+]{2,})://
), do not haveX509_LOOKUP_hash_dir()
process it.The third point is a potential compatibility change, but would require someone to be using
SSL_CERT_DIR
to specify a relative path followed by an absolute path which is specified via redundant leading slashes. This is theoretically possible but the combination seems very unlikely.My intention would then be to have
SSL_CERT_URI
default tocapi://
on Windows and be empty otherwise. The new CAPI store (re #18020) will probably also be behind a compile time option.The text was updated successfully, but these errors were encountered: