Closed tik-stbuehler closed 2 years ago
lavv17
commented
3 years ago You are correct, thanks for diagnosis. I can remember that I took the verification code from wget or curl and adapted for lftp logging. What code do you suggest for certificate verification?
shankerwangmiao
commented
2 years ago You are correct, thanks for diagnosis. I can remember that I took the verification code from wget or curl and adapted for lftp logging. What code do you suggest for certificate verification?
Shall we directly use gnutls_session_set_verify_cert and let gnutls to handle all the verification stuff?
This is quite likely the issue behind #143.
The idea of a cross-signed CA is that you have an existing CA sign a new one - so it looks like an intermediate certificate, but is actually treated as root CA by clients which already trust the new CA.
Example Picture: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
Now if the old CA expires (or gets revoked) it won't validate the chain through the chain "end" - but normal chain verification still succeeds as long as they trust the cross-signed (intermediate) CA.
Which is why now lftp won't work against default LetsEncrypt chains anymore: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Coding that chain verification algorithm yourself is basically asking for problems. Please don't do that:
https://github.com/lavv17/lftp/blob/d67fc14d085849a6b0418bb3e912fea2e94c18d1/src/lftp_ssl.cc#L373-L382