[luci] server certificate verification with luci/httpclient
Bart Van Der Meerssche
bart.vandermeerssche at flukso.net
Thu Jun 10 19:27:47 CEST 2010
Hi Steven,
Steven Barth wrote:
> Sorry for taking so long, studies and business have been quite time consuming
> lately.
>
>
>> Notes:
>> 1/ I can't seem pinpoint the reason why the '#ifdef WITH_CYASSL' check
>> should be omitted for the validation to work properly. Setting the
>> validation to 'peer' in Lua code does not work when this #ifdef is
>> included in the library.
>
> Unfortunately I cannot commit this patch, because leaving out the ifdef would
> break default behaviour for TLS clients or at least make it incompatible with
> OpenSSLs behaviour which would be very unfortunate. AFAIK SSL_VERIFY_NONE is
> default on openssl but not on cyassl thats the reason for the ifdef.
I know that omitting the '#ifdef WITH_CYASSL' breaks default behaviour
between Cyassl and OpenSSL. However, including it breaks the similarity
in behaviour between the two libs as well: With openssl you can set
tls:set_verify("peer") which will turn on certificate validation, while
with cyassl validation will always succeed, despite setting
tls:set_verify("peer"). It shouldn't behave like this, but for some
reason I haven't been able to pinpoint, it does. So it's a choice
between to evils.
I would consider omitting the '#ifdef WITH_CYASSL' because:
1/ Not having certificates validated under Cyassl, while _explicitly_
asking the library to do so, is a severe security bug. The client thinks
he's safe from man-in-the-middle attacks, while actually he's not. To
me this situation is worse than default settings not aligning.
2/ When omitting '#ifdef WITH_CYASSL', Cyassl can still mimic the
OpenSSL default behaviour by setting tls:set_verify("none"). So there is
a workaround.
3/ Maybe you could consider setting the default Luci TLS behaviour to
validate certificates with all libraries. So use an '#ifdef
WITH_OPENSSL' and force OpenSSL to verify by default. From a security
perspective this looks a lot better: You will not be able to set up a
TLS connection unless you have a proper server cert loaded, or if you
explicitly turn off verification (at your own peril).
Cheers,
Bart.
More information about the luci
mailing list