If hostname verification fails, store_context.error is V_OK #244
Comments
rhenium
added a commit
to rhenium/ruby-openssl
that referenced
this issue
Feb 24, 2020
When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: ruby#244 Fixes: 028e495 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
rhenium
added a commit
to rhenium/ruby-openssl
that referenced
this issue
Feb 24, 2020
When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: ruby#244 Fixes: 028e495 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
|
Thanks @rhenium! |
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Dec 1, 2021
Ruby now correctly sets the store_context.error when the cert is mismatched[1], [2]. So in that case raise the expected CertMismatchError. [1] ruby/openssl#244 [2] https://github.com/ruby/ruby-openssl/commit/74ef8c0cc56b840b772240f2ee2b0fc0aafa2743
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Dec 1, 2021
Ruby now correctly sets the store_context.error when the cert is mismatched[1], [2]. So in that case raise the expected CertMismatchError. We also have to monkey patch the ruby constant, which was only recently added to match openssl 1.1[3]. [1] ruby/openssl#244 [2] ruby/openssl@74ef8c0 [3] ruby/openssl@65ea09c
joshcooper
added a commit
to joshcooper/puppet
that referenced
this issue
Dec 1, 2021
Ruby now correctly sets the store_context.error when the cert is mismatched[1], [2]. So in that case raise the expected CertMismatchError. We also have to monkey patch the ruby constant, which was only recently added to match openssl 1.1[3]. [1] ruby/openssl#244 [2] ruby/openssl@74ef8c0 [3] ruby/openssl@65ea09c
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
#60 enabled hostname verification by default, as many applications using SSLSockets directly don't know or remember to call
post_connection_check.One unexpected outcome is if an application implements a
verify_callbackand verification fails, then it is called withpreverify_ok=false, but thestore_context.error=0which isOpenSSL::X509::V_OK! This could cause problems if an application assumesstore_context.error == 0means verification succeeded.If a hostname mismatch is detected, I would expect
store_context.errorto be set toOpenSSL::X509::V_ERR_CERT_REJECTEDso that there is no chance of confusion.The text was updated successfully, but these errors were encountered: