search

lavv17 / lftp

sophisticated command line file transfer program (ftp, http, sftp, fish, torrent)
http://lftp.yar.ru
GNU General Public License v3.0
1.11k stars 162 forks source link

gnutls integration code manually tries to verify chain, can't handle cross-signed CA #641

Closed tik-stbuehler closed 3 years ago

tik-stbuehler commented 3 years ago

This is quite likely the issue behind #143.

The idea of a cross-signed CA is that you have an existing CA sign a new one - so it looks like an intermediate certificate, but is actually treated as root CA by clients which already trust the new CA.

Example Picture: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

Now if the old CA expires (or gets revoked) it won't validate the chain through the chain "end" - but normal chain verification still succeeds as long as they trust the cross-signed (intermediate) CA.

Which is why now lftp won't work against default LetsEncrypt chains anymore: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Coding that chain verification algorithm yourself is basically asking for problems. Please don't do that:

https://github.com/lavv17/lftp/blob/d67fc14d085849a6b0418bb3e912fea2e94c18d1/src/lftp_ssl.cc#L373-L382

lavv17 commented 3 years ago

You are correct, thanks for diagnosis. I can remember that I took the verification code from wget or curl and adapted for lftp logging. What code do you suggest for certificate verification?

shankerwangmiao commented 3 years ago

You are correct, thanks for diagnosis. I can remember that I took the verification code from wget or curl and adapted for lftp logging. What code do you suggest for certificate verification?

Shall we directly use gnutls_session_set_verify_cert and let gnutls to handle all the verification stuff?