cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

From: Thomas Glanzmann <thomas_at_glanzmann.de>
Date: Wed, 13 Jan 2016 21:03:02 +0100

Hello Ray,

> I thought we already do this [1], I'm at a loss for why session resume
> doesn't work if in fact it doesn't. I recall it did appear to resume
> for me, probably I had a different google server than you.

does it work for you? I tried with session id and tickets and used curl
debug output as well as wireshark. And I could not see that it even
tried to resume. But maybe I missed something.

> Ok we should be fine then since 1.3.0 is when it was polarssl not
> mbedtls. As far as checking each key in the chain, and your reply in
> that thread [2] where you said you would implement pinning not only
> for the peer cert (I assume you want to for every cert in the chain),
> note that is not the way it is implemented for the other backends.

> The CURLOPT_PINNEDPUBLICKEY documentation [3] says "the server sends a
> certificate indicating its identity. A public key is extracted from this
> certificate and if it does not exactly match the public key provided to this
> option, curl will abort the connection before sending or receiving any data.
> " Therefore I'd bring up chain pinning as a separate discussion if you want
> to see it implemented.

I see. If this is the intended behaviour, than we leave it at this.

> Further, to your comments in a previous e-mail about pinning, it was
> intended that the pinning check takes place even if verifypeer is disabled.
> Though this is not explicitly documented and there's no test for it (I'm
> working on that, haven't forgotten) that is the way it should be implemented
> across all backends including OpenSSL. Specifically in reference to the line
> you cited in openssl.c [4] there's no return there so I think you misread
> it.

You're right. I tested it against OpenSSL and certificate pinning is
enforced even when verifypeer is 0. I just wrote a test program and it
confirms what you say. I though I had this tested before but apparently
I did not.

Cheers,
Thomas
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2016-01-13

This message: [ Message body ]
Next message: Thomas Glanzmann: "Re: Prepopulate DNS cache with IPv6 and IPv4 address"
Previous message: Daniel Stenberg: "Re: Prepopulate DNS cache with IPv6 and IPv4 address"
In reply to: Ray Satiro via curl-library: "Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]