openssl: noverify continue if CA_BLOB error #11457
Conversation
lib/vtls/openssl.c
Outdated
| BYTE key_usage[2]; | ||
| DWORD req_size; | ||
| const unsigned char *encoded_cert; | ||
| /* Import certificates from the Windows root certificate store if requested. |
There was a problem hiding this comment.
You report a problem on Ubuntu, but yet the largest chunk of your PR changes code that is Windows-specific. It makes me assume it changes more than you intended?
There was a problem hiding this comment.
That large chunk (from my commit 27675b4) is a git revert of a3bcfab which was the easiest way I could see to remove the if(verifypeer){ statement starting on line 3079 that introduced the dependency between CURLOPT_SSL_VERIFYPEER and CURLOPT_CAINFO_BLOB options. There should be no functional change to the Windows certificate handling code, though my change would also revert a small formatting change on line 3006.
There was a problem hiding this comment.
Though I didn't consider curl's behavior on Windows if CURLOPT_SSL_VERIFYPEER was set to 0 and a failure occurred while curl was importing certificates from Windows.
There was a problem hiding this comment.
Since you removed the if(verifypeer) { for the Windows code that loads native certs as well as for the code you want to change, it certainly changes behavior in a non-intended way.
There was a problem hiding this comment.
After examining the code I didn't find that my changes would have any unintended affect on the Windows native certificate import code.
a3bcfab is the latest commit that changed the Windows native certificate import code. This means there haven't been any changes since that commit that would need to be preserved. See the code block at the bottom of this comment for my analysis commands.
Before commit a3bcfab there were 6 if statements contained in the populate_x509_store function (1, 2, 3, 4, 5, 6). The a3bcfab commit moved the first 2 if statements into the if(verifypeer) statement from line 3079 (1, 2). The remaining if statements were not changed (3, 4, 5, 6). However moving these if statements only affected the behavior of the second, making it dependent on the configuration of VERIFYPEER.
For Windows, before a3bcfab, certificates would only be loaded from Windows with the CURLSSLOPT_NATIVE_CA flag set in CURLOPT_SSL_OPTIONS and either VERIFYPEER or VERIFYHOST was set. After the a3bcfab change, certificates from Windows would only be loaded if both the NATIVE_CA flag and VERIFYPEER were set. I believe the a3bcfab commit changes the semantics around the CURLOPT_SSL_VERIFYHOST option, and my change would return to the original semantics. After my changes the first if statement would exactly return to its curl 7.87.0 behavior. Curl's 7.87.0 Windows native CA behavior is identical to curl 7.86.0's behavior, which is the behavior I hope to preserve through this PR. The behavior of Windows' usage of VERIFYPEER with and without my change remains the same. With my change, configuring VERIFYHOST can also be used to enable certificate import from Windows.
The comment on line 3047 states that errors encountered while importing certificates from Windows are ignored. This comment describes the same behavior that my PR is attempting to implement for CAINFO_BLOB. However the Windows native code would not execute if VERIFYPEER is false, so the error handling behavior would not be executed.
My change will remove the second if statement from the verifypeer if statement as it is intends to do. This will restore the independence of the SSL_VERIFYPEER and CAINFO_BLOB settings. This will preseve functionality that identical to curl 7.86.0.
$ git rev-parse --verify HEAD
f2aac0d108167bee5d06d6f9a307e0ff5193b816
$ git blame lib/vtls/openssl.c -L 3037,3172 | awk '{print $1}' | sort | uniq
3c16697ebd
3d919440c8
49a6642f01
8fa8df95fb
a20daf90e3
a3bcfab4b5
^ae1912cb0
d288222e80
fa1ae0abcd
|
If this one-liner basically what you want? diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ae33147d0..e8fea0909 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3025,11 +3025,11 @@ static CURLcode populate_x509_store(struct Curl_cfilter *cf,
bool imported_ca_info_blob = false;
if(!store)
return CURLE_OUT_OF_MEMORY;
- if(verifypeer) {
+ if(verifypeer || data->set.ssl.fsslctx) {
#if defined(USE_WIN32_CRYPTO)
/* Import certificates from the Windows root certificate store if
requested.
https://stackoverflow.com/questions/9507184/
https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L1037 |
Though that is the right way to do (probably) what he wants I don't think we should make any change as explained here. |
Yes, that would fix our issue but would not support the |
|
Sorry you lost me. What puzzles me and what I think is the root cause for these problems is your mix of using a custom verification callback method but yet you insisting libcurl to do magic with the certificates. I think you should rather stick to either way; if you use the callback, do not assume that libcurl does magic with the certificates. If you don't ask libcurl to verify the certificates, libcurl has no reason to load them or check them and I think that is valid. It cannot know or presume that your callback wants to piggy-back on that functionality. |
|
I think either loading or not loading certificates is reasonable. In either case a few lines should be added to the documentation to highlight the interactions between these settings. The documentation for
We appear to be attempting to reconcile the answers to 2 questions:
I'll expand and provide context for these questions in the following paragraphs. There are 4 options that have interesting interactions in this space: There are 2 configurations. The first configuration is from #10351 which wants the ability to provide an empty The second configuration worked in curl 7.86.0 and 7.87.0 but broke in 7.88.0. This configuration disabled From my point of view, if the A sample of the other vtls backends shows mixed results for the interaction between |
We already do this for other SSL backends. Bug: curl#11457 (comment) Reported-by: kyled-dell@users.noreply.github.com Closes #xxxx
Why? The CAINFO_BLOB option provides the cacerts in memory. That's an alternative way instead of loading them from disk. This blob is the CA store. |
We already do this for other SSL backends. Bug: #11457 (comment) Reported-by: kyled-dell@users.noreply.github.com Closes #11497
If CURLOPT_SSL_VERIFYPEER is disabled and CURLOPT_CAINFO_BLOB is provided, certificates will not be loaded from the BLOB into the TLS backend. This is an important interaction if CURLOPT_SSL_CTX_FUNCTION is used for custom TLS verification.
kyled-dell
force-pushed
the
CA_INFO_BLOB
branch
from
2c83ac1
to
93306b6
Compare
|
To summarize: our application was using unintended functionality of libcurl that loaded CA certificates provided to the Since libcurl's interaction between these 2 settings was unintended I plan to rewrite the code that was using this functionality to load the certificates into OpenSSL itself. Instead of changing libcurl's behavior, I amended this PR to clarify that if |
| server's certificate, \fICURLOPT_CAINFO_BLOB(3)\fP is not needed. | ||
| If \fICURLOPT_SSL_VERIFYPEER(3)\fP is zero and you avoid verifying the server's | ||
| certificate, any certificates provided by using \fICURLOPT_CAINFO_BLOB(3)\fP | ||
| are not used. |
There was a problem hiding this comment.
I think this is confusing. Exactly how would libcurl use the certificate when it doesn't verify it? I think this change adds more questions than it answers!
There was a problem hiding this comment.
If \fICURLOPT_SSL_VERIFYPEER(3)\fP is zero and you avoid verifying the server's certificate
I think the issue is we have users who are verifying the certificate on their own even though CURLOPT_SSL_VERIFYPEER is zero, so they may misinterpret either version of this. How about "If \fICURLOPT_SSL_VERIFYPEER(3)\fP is zero then the certificates are not loaded."
There was a problem hiding this comment.
That seems a very reasonable text to add!
|
I added a mention of this in the CURLOPT_SSL_VERIFYPEER.3 documentation. I believe this case is then handled! |
We already do this for other SSL backends. Bug: curl#11457 (comment) Reported-by: kyled-dell@users.noreply.github.com Closes curl#11497
See detailed issue description in #11456. This PR preserves independence of the
CURLOPT_SSL_VERIFYPEERandCURLOPT_CAINFO_BLOBwhen using OpenSSL. This ensures certificates will be added to OpenSSL's root certificate chain, even if the user of libcurl is doing something strange with certificates. This behavior was tested with theossl_custom_verify.candtest_verify.cscripts from #11456.The major change is the addition of this line which makes these settings interact in libcurl the same was as they did in 7.86.0.