Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl+quiche with HTTP/3 silently ignores certificate problems #8173

Closed
bagder opened this issue Dec 21, 2021 · 5 comments
Closed

curl+quiche with HTTP/3 silently ignores certificate problems #8173

bagder opened this issue Dec 21, 2021 · 5 comments
Assignees
@bagder
Labels
HTTP/3 h3 or quic related

Comments

@bagder
Copy link
Member

bagder commented Dec 21, 2021

I did this

  1. I start a test h3 server locally. In my case I run nghttpx with h3 abilities, using a cert + key from curl's test directory.
  2. This cert is not signed by any CA in my system CA store
  3. I run curl against this server to download a resource: ./curl --http3 https://localhost:9443/8GB -o /dev/null
  4. This works fine!

I expected the following

It should have failed and required -k or a suitable --cacert line.

curl/libcurl version

curl from current git. It works similarly using either/both HTTP/3 backends.

operating system

Tested on Linux but the code is platform independent.
@bagder bagder added the HTTP/3 h3 or quic related label Dec 21, 2021
@bagder
Copy link
Member Author

bagder commented Dec 22, 2021

@tatsuhiro-t can you point out which ngtcp2 functions I should look closer on to fix this?

@ghedo can you point out which quiche functions I should look closer on to fix this?

@tatsuhiro-t
Copy link
Contributor

Usual OpenSSL SSL_CTX or SSL setup is required here for ngtcp2 build.
I think something like

curl/lib/vtls/openssl.c

Lines 3181 to 3182 in 2c1dbc1

SSL_CTX_set_verify(backend->ctx,
verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
will fix this issue.

@bagder
Copy link
Member Author

bagder commented Dec 22, 2021

Thanks @tatsuhiro-t, that seems to fix the verification of the signatures for the OpenSSL branch. But I then also need to verify the CN and subjectAltName fields like we do with servercert for TCP+TLS at

curl/lib/vtls/openssl.c

Line 3863 in 2c1dbc1

static CURLcode servercert(struct Curl_easy *data,

I figure that needs to be done after the handshake is completed so that we can get the peer cert using the API.

@bagder bagder mentioned this issue Dec 23, 2021
Closed
3 tasks
@bagder
Copy link
Member Author

bagder commented Dec 23, 2021

Half the check (missing the name check) is done for ngtcp2+quictls in #8178

bagder added a commit that referenced this issue Dec 25, 2021
@bagder
ngtcp2: verify the server cert on connect
b296c41 
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.

The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.

Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.

Ref: #8173
@bagder bagder mentioned this issue Dec 25, 2021
Closed
bagder added a commit that referenced this issue Dec 25, 2021
@bagder
ngtcp2: verify the server cert on connect (quictls)
7dae4f2 
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.

The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.

Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.

Ref: #8173
bagder added a commit that referenced this issue Dec 28, 2021
@bagder
ngtcp2: verify the server cert on connect (quictls)
c148f0f 
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.

The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.

Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.

Ref: #8173
Closes #8178
@bagder
Copy link
Member Author

bagder commented Dec 28, 2021

This problem is now fixed in master (8fbd6fe) for the ngtcp2 backend.

@bagder bagder changed the title curl with HTTP/3 silently ignores certificate problems curl+quiche with HTTP/3 silently ignores certificate problems Jan 1, 2022
@bagder bagder self-assigned this Jan 2, 2022
@ghedo ghedo mentioned this issue Jan 13, 2022
Closed
@bagder bagder closed this as completed in 3aee361 Jan 15, 2022
@junhochoi junhochoi mentioned this issue Jan 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
HTTP/3 h3 or quic related
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bagder @tatsuhiro-t and others