A better support of partial chain mechanism #9768
Labels
component-x509
enhancement
help-wanted
This issue is not being actively worked on, but PRs welcome.
size-s
Estimated task size: small (~2d)
Hi dear developers of mbedtls & ARM.
I am from NanoMQ(https://github.com/nanomq/nanomq/), our tls/ssl layer is based on mbedtls. Hereby I just wanna to share a thought with you guys, to verify if my assumption is correct.
I encountered a tricky issue while delivering an SDV solution to OEM. They have a long CACERT, 5 ROOT CA in one file. During handshake, Server sends "server hello done" & "certificate request" together to client, and mbedtls replies with only one ROOT CA in the long CA file. which result in Server reset the handshake with encryption alert 21. From SDK perspective, it is a 0x7880 error, similar to #5103.
BTW, Server side is an nginx LB, which is widely used in open source world.
Suggested enhancement
Then I started packet sniffering and digging into mbedtls's code base, and I found sth weird.
there is a long comments in
static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
says:
"/*
* struct {
* ClientCertificateType certificate_types<1..2^8-1>;
* SignatureAndHashAlgorithm
* supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
* DistinguishedName certificate_authorities<0..2^16-1>;
* } CertificateRequest;
*
* Since we only support a single certificate on clients, let's just
* ignore all the information that's supposed to help us pick a
* certificate.
*
* We could check that our certificate matches the request, and bail out
* if it doesn't, but it's simpler to just send the certificate anyway,
* and give the server the opportunity to decide if it should terminate
* the connection when it doesn't like our certificate.
*
* Same goes for the hash in TLS 1.2's signature_algorithms: at this
* point we only have one hash available (see comments in
* write_certificate_verify), so let's just use what we have.
*
* However, we still minimally parse the message to check it is at least
* superficially sane.
*/"
then mbedtls only sends own_cert in
mbedtls_ssl_write_certificate
; after manually altering this part of mbedtls to send the whole CA Chain, the error is gone.First of all, I am not expert in encryption and TLS/SSL, but seems like mbedtls's behaviour is different from other popular TLS SDK(python & Js always send whole CA Chain). And I searched for the details of the MTLS process, and it turns out the partial link is just an alternative option; some said it is legitimate for mbedtls to do so, some said it is a flaw of mbedtls.
But I am only wondering why mbedtls made such a decision; this issue is really giving me cancer these days. At least I hope lib could expose some API to let App decide whether to send whole CA Chain or not.
Justification
Mbed TLS need to give users more choice while dealing with long ca chain certificate
pcap file attached. mbedtls :
Javascript
The text was updated successfully, but these errors were encountered: