Cert and key match validation in mbedtls

charybdis-ircd / charybdis

Scalable IRCv3.2 server for large, community-oriented networks

GNU General Public License v2.0

231 stars 102 forks source link

Cert and key match validation in mbedtls #256

Closed GuillaumeFromage closed 6 years ago

GuillaumeFromage commented 6 years ago

Hi !

If you provide a mismatching key-cert pair to charybdis 3.5.5 with mbedtls, it doesn't validate that the key validate the cert, hence, its not giving any error, while clients get: warning SSL handshake failed: invalid padding => irssi Connection failed ((67567722) error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01) => hexchat

Those error are hard to track for an operator and it would be better to ensure validity of the cert beforehand.

Thanks a lot !

aaronmdjones commented 6 years ago

Do commits 6c0079528465771bd1d9f4b84d4ed7a9311fc230 (3.5) or 432daad71ebdcbd92c9268713c79834afcf4db54 (4) fix your issue ?

GuillaumeFromage commented 6 years ago

Yes I think that would do it. I'll reopen if it doesn't.

GuillaumeFromage commented 6 years ago

And yeah, thanks a lot for the quick reply !