[luci] server certificate verification with luci/httpclient

Steven Barth steven at midlink.org
Thu Jun 10 09:42:34 CEST 2010 

Sorry for taking so long, studies and business have been quite time consuming 
lately.


> Notes:
> 1/ I can't seem pinpoint the reason why the '#ifdef WITH_CYASSL' check
> should be omitted for the validation to work properly. Setting the
> validation to 'peer' in Lua code does not work when this #ifdef is
> included in the library.

Unfortunately I cannot commit this patch, because leaving out the ifdef would 
break default behaviour for TLS clients or at least make it incompatible with 
OpenSSLs behaviour which would be very unfortunate. AFAIK SSL_VERIFY_NONE is 
default on openssl but not on cyassl thats the reason for the ifdef.

The rest of the patch seems fine and I will commit it soon.

If resetting the validation to peer afterwards on cyassl does not work this 
might be a bug in their library but I'm not sure yet because I haven't been 
looking deeply into it yet.

> 
> 2/ There is an error defining SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1 in
> ssh.h for cyassl:
> ./include/openssl/ssl.h:432:    SSL_FILETYPE_PEM     = 11,
> ./include/openssl/ssl.h:431:    SSL_FILETYPE_ASN1    = 10,
> 
> While openssl (and nixio.tls) expect:
> ./include/openssl/ssl.h:340:#define SSL_FILETYPE_ASN1   X509_FILETYPE_ASN1
> ./include/openssl/ssl.h:341:#define SSL_FILETYPE_PEM    X509_FILETYPE_PEM
> ./include/openssl/x509.h:122:#define X509_FILETYPE_PEM  1
> ./include/openssl/x509.h:123:#define X509_FILETYPE_ASN1 2
> 
> This means that nixio's tls:set_cert and tls:set_key are not likely to
> work with cyassl.

This shouldn't be a problem if you compile nixio with the right header files. 
lucid uses nixio to provide SSL and loading certificate and key worked fine last 
time it tried it.

You cannot use an openssl-nixio against with a libcyassl (or vice-versa) 
anyway so that should not be a problem.


> 
> 3/ Cyassl's SSL_CTX_load_verify_locations will only work with a CAfile
> being specified. CApath is ignored. Furthermore, cyassl will only load
> the first certificate in the bundle. Specifying a certificate chain by
> putting all certificates in a cacert-type bundle and pointing to this
> file with SSL_CTX_load_verify_locations will not work. With openssl, it
> does

OK this seems to be a cyassl issue then. I will forward it to the developers.


Regards,

Steven

More information about the luci mailing list