[luci] server certificate verification with luci/httpclient
Steven Barth
steven at midlink.org
Thu Jun 10 09:42:34 CEST 2010
Sorry for taking so long, studies and business have been quite time consuming
lately.
> Notes:
> 1/ I can't seem pinpoint the reason why the '#ifdef WITH_CYASSL' check
> should be omitted for the validation to work properly. Setting the
> validation to 'peer' in Lua code does not work when this #ifdef is
> included in the library.
Unfortunately I cannot commit this patch, because leaving out the ifdef would
break default behaviour for TLS clients or at least make it incompatible with
OpenSSLs behaviour which would be very unfortunate. AFAIK SSL_VERIFY_NONE is
default on openssl but not on cyassl thats the reason for the ifdef.
The rest of the patch seems fine and I will commit it soon.
If resetting the validation to peer afterwards on cyassl does not work this
might be a bug in their library but I'm not sure yet because I haven't been
looking deeply into it yet.
>
> 2/ There is an error defining SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1 in
> ssh.h for cyassl:
> ./include/openssl/ssl.h:432: SSL_FILETYPE_PEM = 11,
> ./include/openssl/ssl.h:431: SSL_FILETYPE_ASN1 = 10,
>
> While openssl (and nixio.tls) expect:
> ./include/openssl/ssl.h:340:#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
> ./include/openssl/ssl.h:341:#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
> ./include/openssl/x509.h:122:#define X509_FILETYPE_PEM 1
> ./include/openssl/x509.h:123:#define X509_FILETYPE_ASN1 2
>
> This means that nixio's tls:set_cert and tls:set_key are not likely to
> work with cyassl.
This shouldn't be a problem if you compile nixio with the right header files.
lucid uses nixio to provide SSL and loading certificate and key worked fine last
time it tried it.
You cannot use an openssl-nixio against with a libcyassl (or vice-versa)
anyway so that should not be a problem.
>
> 3/ Cyassl's SSL_CTX_load_verify_locations will only work with a CAfile
> being specified. CApath is ignored. Furthermore, cyassl will only load
> the first certificate in the bundle. Specifying a certificate chain by
> putting all certificates in a cacert-type bundle and pointing to this
> file with SSL_CTX_load_verify_locations will not work. With openssl, it
> does
OK this seems to be a cyassl issue then. I will forward it to the developers.
Regards,
Steven
More information about the luci
mailing list