Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

set TLS option CURLSSLOPT_REVOKE_BEST_EFFORT #115

Merged
merged 1 commit into from
Apr 23, 2021

Conversation

StefanKarpinski
Copy link
Member

@StefanKarpinski StefanKarpinski commented Apr 21, 2021

The Windows native TLS backend (Schannel) makes synchronous certificate revocation checks against a CRL server. For users behind a firewall, this server may be unreachable, causing the TLS connection to fail. The CURLSSLOPT_REVOKE_BEST_EFFORT option addresses precisely this situation, configuring Schannel to make a best effort revocation check but allowing the connection if the CRL server cannot be reached, as long as the certificate isn't already known to be revoked. This behavior matches the default revocation checking behavior on macOS (asynchronous best effort) and is strictly more secure than Linux where no CRL checking is done.

Since the typical advice in such situations is to disable TLS host verification entirely, this is an improvement in that with this option, so long as the client's system CA roots are configured correctly, host verification will work and at least local MITM attacks are prevented.

See this discussion where several Windows uses behind firewalls reported this issue.

The Windows native TLS backend (Schannel) makes synchronous certificate
revocation checks against a CRL server. For users behind a firewall,
this server may be unreachable, causing the TLS connection to fail. The
CURLSSLOPT_REVOKE_BEST_EFFORT option addresses precisely this situation,
configuring Schannel to make a best effort revocation check but allowing
the connection if the CRL server cannot be reached, as long as the
certificate isn't already known to be revoked. This behavior matches the
default revocation checking behavior on macOS (asynchronous best effort)
and is strictly more secure than Linux where no CRL checking is done.

Since the typical advice in such situations is to disable TLS host
verification entirely, this is an improvement in that with this option,
so long as the client's system CA roots are configured correctly, host
verification will work and at least local MITM attacks are prevented.
@StefanKarpinski StefanKarpinski force-pushed the sk/tls-revoke-best-effort branch from 34deb3f to d34b152 Compare April 21, 2021 15:21
@StefanKarpinski
Copy link
Member Author

I'm just going to merge this and hope that it improves things since it seems unlikely that anyone in this situation (Windows & strict firewall) will test this change. 🤞🏻

@StefanKarpinski StefanKarpinski merged commit 4e87640 into master Apr 23, 2021
@StefanKarpinski StefanKarpinski deleted the sk/tls-revoke-best-effort branch April 23, 2021 19:12
StefanKarpinski added a commit that referenced this pull request May 4, 2021
The Windows native TLS backend (Schannel) makes synchronous certificate
revocation checks against a CRL server. For users behind a firewall,
this server may be unreachable, causing the TLS connection to fail. The
CURLSSLOPT_REVOKE_BEST_EFFORT option addresses precisely this situation,
configuring Schannel to make a best effort revocation check but allowing
the connection if the CRL server cannot be reached, as long as the
certificate isn't already known to be revoked. This behavior matches the
default revocation checking behavior on macOS (asynchronous best effort)
and is strictly more secure than Linux where no CRL checking is done.

Since the typical advice in such situations is to disable TLS host
verification entirely, this is an improvement in that with this option,
so long as the client's system CA roots are configured correctly, host
verification will work and at least local MITM attacks are prevented.

(cherry picked from commit 4e87640)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant