Setting Issuer == Subject breaks certificate validation for later versions of OpenSSL used on the client side

[posita]

Setting both the Issuer (e.g., from ca.pem) and the Subject (e.g., from servercert.pem) to the same value (in this case Boot2Docker) breaks certificate validation for clients using later OpenSSL versions (we have not yet pinpointed which). However, where the Issuer differs from the Subject, all tested versions of OpenSSL will validate.

See https://github.com/docker/compose/issues/890#issuecomment-126854371 et seq. (esp. https://github.com/docker/compose/issues/890#issuecomment-127662092) for a discussion on how this was discovered. I have hacked together a fix, but it probably needs refactoring.

Blocks:

• boot2docker/boot2docker#808
• docker/compose#890
• docker/docker-py#465
• possibly others

[posita]

I've had a bit of a back-and-forth with the OpenSSL guys. Here's a summary from Steve Henson:

From: Stephen Henson via RT <rt@openssl.org>
Subject: [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text
Date: August 5, 2015 at 04:32:18 PDT
Cc: openssl-dev@openssl.org
Reply-To: rt@openssl.org

... The bug is that OpenSSL 1.0.2 is less strict about
what counts as a valid self signed certificate. Before 1.0.2 the certificate
had to have issuer and subject matching, if present AKID==SKID and
keyUsage (if present) had to include keyCertSign. For1.0.2 and later the
keyCertSign check is no longer present.

...

A workaround (other than making subject != issuer) is to include SKID/AKID in
all certificates.

Regards, Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

Full history: http://rt.openssl.org/Ticket/History.html?id=3979.

[SvenDowideit]

@posita I'm pretty happy with the fix you hacked together. is there a reason you backed it out?

[SvenDowideit]

I guess in boot2docker, we can do the simplest thing - which is just to set --org=Boot2DockerCACert

[posita]

@posita I'm pretty happy with the fix you hacked together. is there a reason you backed it out?

You mean in my own repository? Yes, I was making sure the the problem wasn't fixed by updating OpenSSL on the b2d side. Ignore the "release" version number progression (0.1.2 is bad, 0.1.1 works). They were just me keeping track of my attempts to diagnose the issue.

I guess in boot2docker, we can do the simplest thing - which is just to set --org=Boot2DockerCACert

Ah! :open_mouth: I didn't even know that was an option! (Where's the Emoji for "facepalm"?) Yes, actually that may work. Of course that passes the buck onto b2d, which may be just fine. :wink:

Proposal: I'll submit a PR to boot2docker/boot2docker that makes use of the --org tag in the appropriate place in usr/local/etc/init.d/docker. Assuming that passes muster, great. If not, we can patch generate_cert, but I like making use of the existing command line options better.

[SvenDowideit]

and damn. looks like the 0.1 release that b2d uses doesn't have --org - I'll make a new release asap.

[SvenDowideit]

https://github.com/SvenDowideit/generate_cert/releases/tag/0.2

[posita]

Awesome! I'll work that into my PR to b2d.

[posita]

PR submitted as boot2docker/boot2docker#1029.

[SvenDowideit]

this is closed by 0.2 generate release - and is going into the next boot2docker release too \o/