[luci] server certificate verification with luci/httpclient

Steven Barth steven at midlink.org
Thu Jun 10 19:51:04 CEST 2010 

Hi,

yes I agree with you. However I've contacted the yassl developers about the 
issue and will wait for their response before deciding to change the default 
behaviour if this happens to be something they could fix.

Regards,
Steven


Am Donnerstag 10 Juni 2010, 19:27:47 schrieb Bart Van Der Meerssche:
> Hi Steven,
> 
> Steven Barth wrote:
> > Sorry for taking so long, studies and business have been quite time
> > consuming lately.
> > 
> >> Notes:
> >> 1/ I can't seem pinpoint the reason why the '#ifdef WITH_CYASSL' check
> >> should be omitted for the validation to work properly. Setting the
> >> validation to 'peer' in Lua code does not work when this #ifdef is
> >> included in the library.
> > 
> > Unfortunately I cannot commit this patch, because leaving out the ifdef
> > would break default behaviour for TLS clients or at least make it
> > incompatible with OpenSSLs behaviour which would be very unfortunate.
> > AFAIK SSL_VERIFY_NONE is default on openssl but not on cyassl thats the
> > reason for the ifdef.
> 
> I know that omitting the '#ifdef WITH_CYASSL' breaks default behaviour
> between Cyassl and OpenSSL. However, including it breaks the similarity
> in behaviour between the two libs as well: With openssl you can set
> tls:set_verify("peer") which will turn on certificate validation, while
> with cyassl validation will always succeed, despite setting
> tls:set_verify("peer"). It shouldn't behave like this, but for some
> reason I haven't been able to pinpoint, it does. So it's a choice
> between to evils.
> 
> I would consider omitting the '#ifdef WITH_CYASSL' because:
> 1/ Not having certificates validated under Cyassl, while _explicitly_
> asking the library to do so, is a severe security bug. The client thinks
>   he's safe from man-in-the-middle attacks, while actually he's not. To
> me this situation is worse than default settings not aligning.
> 
> 2/ When omitting '#ifdef WITH_CYASSL', Cyassl can still mimic the
> OpenSSL default behaviour by setting tls:set_verify("none"). So there is
> a workaround.
> 
> 3/ Maybe you could consider setting the default Luci TLS behaviour to
> validate certificates with all libraries. So use an '#ifdef
> WITH_OPENSSL' and force OpenSSL to verify by default. From a security
> perspective this looks a lot better: You will not be able to set up a
> TLS connection unless you have a proper server cert loaded, or if you
> explicitly turn off verification (at your own peril).
> 
> Cheers,
> Bart.
> _______________________________________________
> luci mailing list
> luci at lists.subsignal.org
> https://lists.subsignal.org/mailman/listinfo/luci

More information about the luci mailing list