Hi Tobias,
That sounds like a good plan. To sum it up, the only difference to the current version is that the plugin will verify server names as well (this is something OpenSSL doesn't support out of box, but it has all the tools necessary to do). So a), b) and c) are all image-side changes. I'm not sure if we need c) at all, because we can simply signal a resumable error when the certificate chain fails to be verified by the plugin, and let you, the user, handle that error when necessary.
Levente
On Thu, 20 Aug 2015, Tobias Pape wrote:
Hi again (hi sven)
On 02.06.2015, at 05:56, Levente Uzonyi leves@elte.hu wrote:
Hi David,
There's a debate about how SAN certificates - and server name verification in general - should be handled[1][2]. I tend to agree with Tobias on verifying the server name in the plugin, but getting there will require further efforts - especially on the unix platform.
While this version solves a particular case, and is backwards compatible on the image side, I think we should look for a better, more general solution.
I have sketched an Idea how to handle verification in SqueakSSL in general (and briefly presented to Bert), I'm not yet sure, however, and I'm on vacation the next two weeks. But after that I'd like to spark a discussion (hoepfully including Sven, for Zodiac) that will involve:
a) no manual verification. Period. b) fail on non-verification. c) optional 'unverified' mode that has to be requested explicitly d) Moving the Unix platform code to libtls (easier to understand)
That's my 2ct for now, more in September.
Best regards -Tobias
Levente
[1] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184613.html [2] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184631.html
On Mon, 1 Jun 2015, David T. Lewis wrote:
Hi Levente,
Regarding your VM changes for SqueakSSL, shall I commit these to the SVN trunk repository? Ian delegated access to platforms/unix so that I can do that for you if you like.
We have several Mantis entries to track your SqueakSSL work:
http://bugs.squeak.org/view.php?id=7751 (Add SSL plugin) http://bugs.squeak.org/view.php?id=7793 (Memory leak in the SqueakSSL plugin on unix) http://bugs.squeak.org/view.php?id=7824 (Add TLS SNI Server Name Indication support to SqueakSSL plugin)
Your latest version http://leves.web.elte.hu/squeak/SqueakSSL/ adds the SAN certificates support, so I think we should commit your latest version and close the Mantis issues.
If you agree I will update the SVN files.
Thanks, Dave
p.s. There are still issues in SqueakSSL when sizeof(sqInt) is 8 (64 bit images) but that is a separate discussion.
On Tue, May 26, 2015 at 11:55:42PM +0200, Levente Uzonyi wrote:
Hi All,
I've implemented support for reading the domain names from the certificate's SAN extension[1] in SqueakSSL. The image side code is in the Inbox[2]. It is backwards compatible -- everything works as before without the VM changes. I've also uploaded the modified files[3][4] for the unix platform, and a diff[5] (which somehow doesn't include the changes of the .h file).
The VM support code for other platforms are to be done.
These changes fix the failing SqueakSSL test in the Trunk, so I suggest including the .mcz file in the 4.6 release.
Levente
[1] https://en.wikipedia.org/wiki/SubjectAltName [2] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184581.html [3] http://leves.web.elte.hu/squeak/SqueakSSL/SqueakSSL.h [4] http://leves.web.elte.hu/squeak/SqueakSSL/sqUnixOpenSSL.c [5] http://leves.web.elte.hu/squeak/SqueakSSL/diff.txt