-
-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CMP: fix flag indicating the use of SSL/TLS for client-side HTTP connections #21176
Conversation
The two CI failures are unrelated. |
Although unrelated the CMS failure looks really suspicious. |
…lated checks and doc
6f1df38
to
05d5e91
Compare
I agree the failing CMS consistency tests on buildbot/master:unix-ubuntu-aarch64 looked suspicious, |
I do not think this is a bug fix. Also what if anyone is already depending on the existing behavior of having the callback implying TLS? |
As witnessed by #21120, the existing code has at least unexpected and undocumented behavior.
This is indeed a problem, but I'd say the risk is small because it's an advanced feature and the existing behavior is weird and not documented. |
With this argument, we couldn't do any bug fixes because there might be someone who - for whatever strange reason - started relying on wrong behavior. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a clarification needed on server vs client use of OSSL_CMP_OPT_USE_TLS
.
@@ -49,6 +49,7 @@ struct ossl_cmp_ctx_st { | |||
int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */ | |||
int msg_timeout; /* max seconds to wait for each CMP message round trip */ | |||
int total_timeout; /* max number of seconds an enrollment may take, incl. */ | |||
int tls_used; /* whether to use TLS for client-side HTTP connections */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Presumably, this is not just for clients? In apps/cmp.c
the flag is set regardless of opt_server
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So far, tls_used
is implemented for the client side only.
And as now stated in openssl-cmp.h.in
:
It is ignored if the B<-server> option is not given
apps/cmp.c
Outdated
if (opt_tls_used) | ||
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_USE_TLS, 1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this option is for clients only, should there be a && opt_server == NULL
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could do that, but the option is anyway ignored in this case (with a warning).
If/when we later add TLS support to the server side, we would have to revert adding && opt_server == NULL
.
The app code already did this, what if someone just mimicked it? Can you please try harder to make this backwards compatible? For example this could be a new feature for 3.2 where the OP is OSSL_CMP_OPT_NO_TLS and it switches off the tls if the callback is in use. |
Hmm, such a Here is my proposal for a backward compatible solution: This way, the old behavior is by default, and explicitly setting the TLS leads to the expected new behavior. |
OK, but for master branch only. |
Good, but why not also for at least 3.0? |
I would not block merging it to 3.1 and 3.0 if someone else approves it, but in my opinion this is clearly a new feature, not a bug fix. |
…rove related checks and doc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok with a back port to 3.1/3.0. Should this also be in master (not labeled for master, but the PR is on master)?
Pleased to hear. |
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
Ping @openssl/committers for 2nd review |
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
Pinging again @openssl/committers for 2nd review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK for the master branch only.
This pull request is ready to merge |
Merged to the master branch. Thank you for your contribution. |
…lated checks and doc Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21176)
…rove the latter Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21176)
…lated checks and doc Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#21176) Signed-off-by: fly2x <fly2x@hitls.org>
…rove the latter Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#21176) Signed-off-by: fly2x <fly2x@hitls.org>
…E_TLS Fixes #21120 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#21176) Signed-off-by: fly2x <fly2x@hitls.org>
OSSL_CMP_MSG_http_perform()
by adding optionOSSL_CMP_OPT_USE_TLS
OSSL_CMP_CTX_new.pod
: remove overlap withOSSL_HTTP_transfer.pod
; improve the latterapps/cmp.c
:-tls_used
may be implied by-server https:...
; improve related checks and docFixes #21120
Checklist