unitedstates / inspectors-general

Collecting reports from Inspectors General across the US federal government.
https://sunlightfoundation.com/blog/2014/11/07/opengov-voices-opening-up-government-reports-through-teamwork-and-open-data/
Creative Commons Zero v1.0 Universal
107 stars 21 forks source link

SHA-1 CA bundle #250

Closed divergentdave closed 9 years ago

divergentdave commented 9 years ago

This is a followup from #245, see this comment.

Older versions of OpenSSL have issues building the correct certificate chain in the presence of cross-signed CAs. When communicating with servers that trigger this problem, (i.e. SBA and SIGAR) we should instead use certifi's legacy bundle, which includes roots that issued SHA-1 certificates.

Newer versions of OpenSSL have features and options to improve the situation, such as X509_V_FLAG_TRUSTED_FIRST and a new "alternate chains" algorithm. However, X509_V_FLAG_TRUSTED_FIRST is not yet exposed to Python; ssl.VERIFY_X509_TRUSTED_FIRST will first be released in the forthcoming Python 3.4.4, where it will be set by default. The alternate chains algorithm has only been released for newer versions of 1.0.1 and 1.0.2, which aren't yet in Debian stable. (c.f. http://curl.haxx.se/mail/lib-2015-05/0175.html and https://www.openssl.org/news/secadv/20150709.txt)

Further reading: https://lukasa.co.uk/2015/04/Certifi_State_Of_Union/ and certifi/python-certifi#26

konklone commented 9 years ago

Great research and execution on this, @divergentdave. While I was following this issue generally, it wasn't at this level of detail, and reading certifi's post was very helpful.

cc @alex