Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Certificate Transparency policy #819

Merged
merged 4 commits into from Sep 18, 2021
Merged

Implement Certificate Transparency policy #819

merged 4 commits into from Sep 18, 2021

Conversation

djc
Copy link
Member

@djc djc commented Sep 15, 2021

An attempt to make configuration of the certificate transparency policy more robust. This doesn't have testing yet; my first question here is if this should live in rustls itself or if it should be part of the sct crate.

(Feel free to take this and run with it/build on it/change it in whatever way seems best.)

Fixes #803.

@djc djc force-pushed the optional-ct-logs branch 2 times, most recently from 958fb45 to c434861 Compare September 15, 2021 12:34
@codecov-commenter
Copy link

codecov-commenter commented Sep 15, 2021
edited

Codecov Report

Merging #819 (e145ad6) into main (14c024d) will decrease coverage by 0.14%.
The diff coverage is 38.00%.

❗ Current head e145ad6 differs from pull request most recent head 5a64a2f. Consider uploading reports for the commit 5a64a2f to get more accurate results
Impacted file tree graph

@@            Coverage Diff             @@
##             main     #819      +/-   ##
==========================================
- Coverage   96.52%   96.38%   -0.15%     
==========================================
  Files          59       59              
  Lines        9307     9330      +23     
==========================================
+ Hits         8984     8993       +9     
- Misses        323      337      +14
Impacted Files Coverage Δ
rustls/src/builder.rs 91.48% <ø> (ø)
rustls/src/lib.rs 100.00% <ø> (ø)
rustls/src/verify.rs 70.37% <9.67%> (-4.28%) ⬇️
rustls/src/client/builder.rs 94.33% <83.33%> (-5.67%) ⬇️
rustls/src/verifybench.rs 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 14c024d...5a64a2f. Read the comment docs.

@djc djc force-pushed the optional-ct-logs branch 2 times, most recently from 8efc9a4 to c88122c Compare September 15, 2021 13:46
ctz
ctz approved these changes Sep 18, 2021
View reviewed changes
Copy link
Member

@ctz ctz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this is a good improvement.

With the benefit of hindsight, it was probably premature to implement anything CT related in rustls, because there seems to have been little deployment of the CT features in TLS elsewhere; instead everything is using them embedded in certificates.

@djc
Copy link
Member Author

djc commented Sep 18, 2021

If so, should we make CT off by default (no need to call without_certificate_transparency_logs()), enabled by calling the builder method explicitly in one of the later stages?

@djc djc merged commit 74d9c56 into rustls:main Sep 18, 2021
@djc djc mentioned this pull request Sep 18, 2021
Closed
3 tasks
@ctz
Copy link
Member

ctz commented Sep 19, 2021

If so, should we make CT off by default (no need to call without_certificate_transparency_logs()), enabled by calling the builder method explicitly in one of the later stages?

I think it would be an improvement if it were to default to off. We could revisit that once we have a complete CT implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctz ctz ctz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

with_root_certificates config API encourages CT validation in clients that may not receive regular updates
3 participants
@djc @codecov-commenter @ctz