8000 Use X509_STORE instead of verifying manually by fealebenpae · Pull Request #7034 · realm/realm-core · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Use X509_STORE instead of verifying manually #7034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 11, 2023
Merged

Use X509_STORE instead of verifying manually #7034

merged 3 commits into from
Oct 11, 2023

Conversation

fealebenpae
Copy link
Member

What, How & Why?

While testing against BoringSSL we encountered a complete inability to successfully validate the Atlas SSL certificates. It ultimately turned out that the reason was that we weren't passing the hostname string length to X509_VERIFY_PARAM_set1_host() which is an error in BoringSSL, but not OpenSSL, but in the course of debugging I refactored the way we actually include the bundled trusted certificates when REALM_INCLUDE_CERTS is defined.

Previously, we'd install a certificate verification callback on the SSL instance and within it iterate over the bundled certificate list and manually perform x509 verification against the certificate presented by the server in the handshake. Looking at what curl does when using OpenSSL, the correct solution is to instead load the bundles certificate in the SSL context's trust store and let it perform verification instead of us doing it ourselves.

☑️ ToDos

  • 📝 Changelog update
  • 🚦 Tests (or not relevant)
  • C-API, if public C++ API changed.

@fealebenpae fealebenpae self-assigned this Oct 5, 2023
@coveralls-official
Copy link
coveralls-official bot commented Oct 5, 2023
edited
Loading

Pull Request Test Coverage Report for Build yavor.georgiev_366

  • 29 of 29 (100.0%) changed or added relevant lines in 3 files are covered.
  • 92 unchanged lines in 14 files lost coverage.
  • Overall coverage decreased (-0.01%) to 91.579%
Files with Coverage Reduction New Missed Lines %
test/test_dictionary.cpp 1 99.85%
src/realm/array_blobs_big.cpp 2 98.72%
src/realm/array_string.cpp 2 87.78%
src/realm/sync/instruction_applier.cpp 2 70.21%
src/realm/sync/network/websocket.cpp 2 75.26%
src/realm/util/file.cpp 2 81.25%
src/realm/sync/noinst/protocol_codec.hpp 3 76.72%
src/realm/sync/transform.cpp 3 61.71%
src/realm/unicode.cpp 4 90.15%
src/realm/bplustree.cpp 7 75.72%
Totals Coverage Status
Change from base Build 1735: -0.01%
Covered Lines: 230479
Relevant Lines: 251672
💛 - Coveralls

@fealebenpae fealebenpae force-pushed the yg/ssl-x509-store branch 2 times, most recently from dea5f77 to a9beb61 Compare October 5, 2023 17:02
@fealebenpae fealebenpae requested a review from michael-wb October 7, 2023 01:12
michael-wb
michael-wb approved these changes Oct 10, 2023 8000
View reviewed changes
Copy link
Contributor
@michael-wb michael-wb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - it's probably more efficient for SSL to handle the certificate validation anyways.
Do we ever need to update our included root certs? Or should they be up to date (or never/rarely change)?

@fealebenpae fealebenpae merged commit 6b2ec6f into master Oct 11, 2023
@fealebenpae fealebenpae deleted the yg/ssl-x509-store branch October 11, 2023 11:24
@fealebenpae
Copy link
Member Author

@michael-wb I was thinking about that - it wouldn't be too difficult to make a CMake script that takes the latest Mozilla Root CA bundle and encode it in the format we need. But for now we only really care about the ISRG X1 Root certificate that signs the Let's Encrypt certificates used on Atlas and that one's valid until 2035. Users who connect to a different endpoint most likely use a self-signed certificate they need to explicitly trust.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@michael-wb michael-wb michael-wb approved these changes

Assignees

@fealebenpae fealebenpae

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fealebenpae @michael-wb
0