Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pass CA certificates to SSLCtx when provided by pkcs12 #1444

Merged
merged 3 commits into from
Apr 6, 2021
Merged

pass CA certificates to SSLCtx when provided by pkcs12 #1444

merged 3 commits into from
Apr 6, 2021

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Apr 6, 2021

More work may need to be done if the CAs would come wrong order of have unrelated entries. TLS should send the chain without root CA.

TLS 1.3 seems more liberal about ordering: https://tools.ietf.org/html/rfc8446#section-4.4.2

   Note: Prior to TLS 1.3, "certificate_list" ordering required each
   certificate to certify the one immediately preceding it; however,
   some implementations allowed some flexibility.  Servers sometimes
   send both a current and deprecated intermediate for transitional
   purposes, and others are simply configured incorrectly, but these
   cases can nonetheless be validated properly.  For maximum
   compatibility, all implementations SHOULD be prepared to handle
   potentially extraneous certificates and arbitrary orderings from any
   TLS version, with the exception of the end-entity certificate which
   MUST be first.

seems to work OK incases I tested (e.g. valid ordered list) by watching certificate stack on receiver side.
contributes to dotnet/runtime#49574

cc: @ManickaP

@wfurt wfurt requested a review from a team as a code owner April 6, 2021 18:37
nibanks
nibanks reviewed Apr 6, 2021
View reviewed changes
src/platform/tls_openssl.c Outdated Show resolved Hide resolved
nibanks
nibanks reviewed Apr 6, 2021
View reviewed changes
src/platform/tls_openssl.c Outdated Show resolved Hide resolved
nibanks
nibanks reviewed Apr 6, 2021
View reviewed changes
src/platform/tls_openssl.c Outdated Show resolved Hide resolved
@nibanks nibanks merged commit 21c9ede into microsoft:main Apr 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nibanks nibanks nibanks approved these changes

@anrossi anrossi anrossi approved these changes

Assignees
No one assigned
Labels
TLS: OpenSSL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wfurt @nibanks @anrossi