-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mk-ca-bundle.pl options #6
base: master
Are you sure you want to change the base?
Conversation
mk-ca-bundle.pl in curl changed in commit may 8th to change trust defaults for inclusion in the generated bundle. This was specifically noticed because the cert for Verisign known as "Class 3 Public Primary Certification Authority" was not included in the bundle because it is not a 'TRUSTED_DELEGATOR', but also unfortunately happens to be the top of the chain that runs AWS ssl certs for secure communication with their systems TL;DR: the latest Mozilla::CA does not work with a subset of ssl certificates, this patch fixes the build chain to avoid the problem.
well Ask over on the bug I entered said 'Doing "ALL:ALL" isn't a fix; you might just as well stop verifying the certs then.' |
I can be convinced otherwise; but that's how I understand it. |
Here's the rundown, and the context for this particular bug's patch (I helped @DavidIAm figure this out): Perl's TLS stack uses OpenSSL libraries under the hood. The OpenSSL libraries don't do verification the same way that NSS (the Mozilla security/TLS) libraries do. NSS will stop building a verification chain as soon as it finds a certificate in the trust store that has the website trust bit asserted. OpenSSL will continue until it finds a self-signed certificate in the chain, or will fail if it can't find one. The certificate chain asserted goes like this (certificate PEM data elided from output of the command Certificate chain
The problem is the issuer of certificate 2. "/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority" still exists in certdata.txt, but it does not assert the proper website trust bits for mk-ca-bundle.pl to express it without this or an equivalent patch. Perl's TLS stack requires the specific certificate identified above in its ca-bundle.pem in order to authenticate Amazon's web services. It might (but is not truly documented to) be able to use the output of I also object to the assertion that "ALL:ALL" is as bad as stopping verification of certificates entirely. Certificates would not be in Mozilla's certdata.txt if they hadn't been vetted by Mozilla as belonging to certifiers that adhere to its certificate authority policy. They may reduce the security a bit (by allowing email-only and software-only certifiers to sign website certificates), but that is a far cry from stopping all certificate verification. |
I'm a reluctant maintainer of this, but you all come across as way too crazy sloppy with this issue. Years ago it was changed to the current behavior in commit f516a6b ("Do not add untrusted CAs from mozilla certdata.txt (RT#70967)"). A proper patch for this will document how the patch makes the behavior match that of Firefox. Also, the version of mk-ca-bundle.pl we have doesn't have the -p option, so that has to be put in first. The curl documentation (where that script comes from) says:
|
@abh: The version of mk-ca-bundle.pl you have does support the -p option, according to the text in the help. https://github.com/gisle/mozilla-ca/blob/master/mk-ca-bundle.pl#L166 I don't believe that OpenSSL supports behavior matching that of Firefox. If it does, it's not documented to do so. Something that may short-circuit it is In order to have absolute conformance to Firefox's behavior, the plan would have to be:
In Verisign's case, it would be nice if it would issue an updated self-signed/self-issued certificate for its G5 certifier, and distribute those certificates to its customers. However, I think this is an impractical burden (contacting every one of its customers to update the certificate chains their servers send out). Worst-case, there's also all of the many installed sites that already have OpenSSL installed but would need to build a new version of perl for any upgrades to a version that supports a short-circuit (say, to the latest 1.0.2, when they're still on 0.9.8 or 0.9.9). |
I apologize for not merging this; but I'm not qualified to choose what's right so I'l reluctant to change it without more input! |
mk-ca-bundle.pl in curl changed in commit may 8th to change trust defaults for inclusion in the generated bundle.
This was specifically noticed because the cert for Verisign known as "Class 3 Public Primary Certification Authority" was not included in the bundle because it is not a 'TRUSTED_DELEGATOR', but also unfortunately happens to be the top of the chain that runs AWS ssl certs for secure communication with their systems
TL;DR: the latest Mozilla::CA does not work with a subset of ssl certificates, this patch fixes the build chain to avoid the problem.