search

ErikMinekus / sm-ripext

SourceMod REST in Pawn Extension
https://forums.alliedmods.net/showthread.php?t=298024
GNU General Public License v3.0
136 stars 38 forks source link

Custom SSL Certificate validation #62

Open agpmilli opened 3 years ago

agpmilli commented 3 years ago

Similar to Issue#12, we are looking to communicate with a local API that runs in HTTPS with a self-signed certificate.

When making the request to the API, we instantly receive an error with status code 0:

Error: Cert verify failed: BADCERT_CN_MISMATCH

Following recommendations from Issue#12, we have tried to add our certificate in the ca-bundle.crt but it does not fix the issue.

Any idea on how to make it work?

Thanks in advance.

Wend4r commented 3 years ago

https://github.com/ErikMinekus/sm-ripext/blob/f50b9e4ffc8c74dec5cec7b9a734ad860aefffe1/mbedtls/include/mbedtls/x509.h#L88

agpmilli commented 3 years ago

Thanks for bringing this up.

What we are not sure to understand is why this message is displayed. Our local API is available under HTTPS (through Postman in windows and SteamWorks in sourcemod).

But with RiP (windows), we get this BADCERT_CN_MISMATCH error whatever the request. The fact of adding the certificate in the ca-bundle.crt does not make any difference.

Can you explain what we should do to fix this problem?

Wend4r commented 3 years ago

At first I thought that you wanted to create your own client certificate so that it works only with your backend. If you don't care about this and you just want regular HTTPS, then you can use ready-made public certificates. For example, https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

agpmilli commented 3 years ago

To give more context, we have been experiencing issues with our local server and our local API (when not running over HTTPS). We were obtaining status code 100 for all POST requests. (similar to Issue#56)

Following the recommendation in this issue, we have decided to run our local API over HTTPS by creating our own self-signed certificate (see this).

Now our local API runs over HTTPS and no more status code 100 but instead we have status code 0 with BADCERT_CN_MISMATCH error.

We have a cert.pem that contains the certificate and we tried both to replace configs/ripext/ca-bundle.crt with it or integrate the certificate inside configs/ripext/ca-bundle.crt. But both result in the same behavior.

I hope this makes it more clear.

ErikMinekus commented 3 years ago

Try the debug build and check the certificate info printed to the server console. Maybe something is wrong with the issuer CN or subject CN?