-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect when included into AppImage; root CA and engines path #7481
Comments
This issue is not AppImage specific. The problem occurs whenever an application needs to ship a private copy of OpenSSL because the application cannot assume that the version of OpenSSL works with the application. For example, if the application is built against OpenSSL 1.0 then it will fail on distributions that ship OpenSSL 1.1, and vice versa, effectively forcing the application to bundle a private copy of OpenSSL. Now, the private copy of OpenSSL must either ship its own set of certificates (which would be very cumbersome to maintain), or load the certificates from the system. Unfortunately, the different distributions happen to put them in apparently "random" locations (for no apparent good reason other than "distribution policy"):
Hence, OpenSSL should fall back to loading certificates from all those known locations, and issue a clear recommendation for distributions where to put certificates going forward. References: |
No, OpenSSL should not load all certs from all locations. That would be a very poor security practice -- anyone who can install things in one of the locations makes all programs that use OpenSSL trust all of the CA's. Instead, each application should have its own trust store, or path to CA's. Yes it is a bit harder on everyone, and it would be nice if the various distro's and platforms could unify, but oh well. I think this should be closed. |
Thanks for joining the discussion @richsalz. What if all locations are within How would you make an end-user desktop application that runs on all distributions, if you don't want to have to care for the certificates yourself? Or maybe we could make it respect a certain environment variable to set a path to the certificates? |
It's a tough problem, and one I do not think OpenSSL should solve, even if it could solve it. If I were writing such an application, I would have an ordered list of directories to try, and I'd use the first one that existed as a directory, and had the right ownership and permissions. Yes, ugh. |
According to https://www.microfocus.com/documentation/visual-cobol/VC40/CSWin/HROSSROPEN02.html, OpenSSL configuration files can define
|
It may be worth noting that Go ships a hard-coded list of only https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go As far as I can tell, there's no permission verification, they just try each path until success: 1, 2. I can understand the disinterest in hard-coding such paths in OpenSSL, but from a systemic perspective it might be useful to do so at the heart of the stack, so to speak, as this could reduce the number of applications shipping their own cert bundles. Perhaps as a default-off build option. Many small, infrequently-updated applications end up shipping certs as a path of least resistance to multi-distro support. (even Python and the JVM both ship their own). |
There's even more locations: https://gitlab.com/probono/platformissues/blob/master/README.md#certificates I think one default location should be defined "at the heart of the stack", to increase standardization. The others should be searched as fallback locations. |
There ought to be a distribution agnostic way to fetch the CTL location. My view is that this could be made part of the XDG specification. |
Can According to the documentation,
In this case, the AppRun script in the AppImage would need to check all possible locations where the different distributions tend to place those files, and then export the one where they have actually be found, prior to launching the payload executable. Do you think this would be a good strategy? cc @TheAssassin |
Please see FreeCAD/FreeCAD-Bundle#34 (comment). |
A possibility would be to be able to specify paths in the config file. Openssl would then only need to know one location, that of the config file. |
Is there a way to find out, at runtime, from the OpenSSL that is on the system, the path to the certs? |
Yes const char *X509_get_default_private_dir(void);
const char *X509_get_default_cert_area(void);
const char *X509_get_default_cert_dir(void);
const char *X509_get_default_cert_file(void); If the directory configured with Furthermore, the following three functions will return the names of the corresponding environment variables that libcrypto try to look at first, before using the above functions: const char *X509_get_default_cert_dir_env(void);
const char *X509_get_default_cert_file_env(void): Unfortunately, this is among the lot of under-documented libcrypto functions. |
Thanks @levitte. Do you happen to know a way to find this out without needing a C/C++ program (e.g., from a shell script)? |
At least for C / C++ applications, it sounds like it may make sense to create an auxiliary library for distro independent binaries, which would
I suppose such an auxiliary library could fulfill many purposes, I bet many candidates are already mentioned here https://gitlab.com/probono/platformissues/blob/master/README.md |
This is a proposal to discuss a new feature.
OpenSSL should detect whether it is run from AppImage (Linux app bundle, http://appimage.org/) to use an appropriate location for root CA certificates and crypto engines.
When a user downloads some AppImage, for example, Moolticute:
https://github.com/mooltipass/moolticute/releases/download/v0.21.0/Moolticute-x86_64.AppImage
they run it as follow:
AppImage format is an executable header and compressed filesystem image which will be mounted to a temporary dir. If run with strace you may see following (strace if embedded info launcher script in my case):
Luckily enough that libssl.so.1.0.2k was borowed from Ubuntu 16.04 and was run on the same distribution, it was able to find root CA certificates. But the location is different across distributions. The similar problem was attemted to be solved for GNU TLS by patch:
https://github.com/darealshinji/vlc-AppImage/issues/1#issuecomment-321041496
So I'm going to fork stable version of OpenSSL 1_0 (branch OpenSSL_1_0_2-stable) and try to create a similar patch.
I little worried about the config is still looked into /usr/lib/ssl/openssl.cnf
And patch to crypto engines is also hardcoded (seems they are not used for SSL connection, but still):
So as tier-1 I will create a searching for root CA in different locations.
Tier-2 will use APPDIR env var to search related to mount point
(APPDIR=/tmp/.mount_MooltiH7uOfu)
I understand this goes against security considerations but if it can be at least a compile-time option in the upstream that would be great.
The text was updated successfully, but these errors were encountered: