cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

From: Thomas Glanzmann <thomas_at_glanzmann.de>
Date: Mon, 11 Jan 2016 10:02:13 +0100

Hello Ray,

* Ray Satiro <raysatiro_at_yahoo.com> [2016-01-11 09:25]:
> Also I notice if peer verification is disabled the SSLpinning result
> isn't checked. This was not caught by the tests so I'll add a test for
> that.

I noticed that, too. But I thought this was the intended behaviour
because OpenSSL does the same.

See here:

http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
https://github.com/bagder/curl/blob/master/lib/vtls/openssl.c#L2721
https://github.com/bagder/curl/blob/master/lib/vtls/openssl.c#L2654

Or in one sentence, if VERIFYPEER is 0, VERIFYHOST is set to zero which
means that strict is 0. If strict is 0, the certificate pinning is not
done. Or did I miss something?

I would prefer that pinning is always done if there is a pin
nevertheless verifypeer is enabled or not, but we should agree what we
do here and than do it for all SSL backends the same.

> I propose a different solution for both of those issues. Rather than
> call Curl_pin_peer_pubkey during certificate verification from a
> verify callback we call it after the certificate verification (in
> mbedtls_connect_step2). I think that would be an easier way to deal
> with it. See code at [1].

I tested your method and it works for my usecase.

> - There is a comment in the code that says a peer cert is not available
> after an SSL session resume, specifically "If the session was resumed, there
> will be no peer cert". It appears that was copied from PolarSSL. I looked in
> the mbedTLS documentation to confirm but there's nothing documented in
> mbedtls_ssl_get_peer_cert. However mbedtls_ssl_get_session [2] has a notice
> that says "Currently, peer certificate is lost in the operation." Yet I
> tested it and the peer certificate seems to be available on resume:

> ./curl -v --pinnedpubkey
> sha256//C4G4mPCYzTEVZBFSwJ5u+IxQYaKOxhQwBz7YeD/ELxk= https://google.com
> https://google.com

I'll ask on the mbedtls mailing list and ask them.

> - mbedtls_pk_write_pubkey_der expects a mbedtls_pk_context that is non-const
> [3], but mbedtls_ssl_get_peer_cert returns a const certificate. I don't see
> a way to make a non-const copy of the public key but there is probably a way
> to do this, or copy the cert or some parent container.

I'll have a look at that and come back to you.

Cheers,
Thomas
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2016-01-11

This message: [ Message body ]
Next message: Catlow, Martyn: "curl api nghttp2 co-req ?"
Previous message: Ray Satiro via curl-library: "Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY"
In reply to: Ray Satiro via curl-library: "Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]