-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does not do any TLS hostname verification by default #472
Comments
The issue here is that hyper needs to pick something by default. It's already possible to do it yourself with |
For what it's worth, I just implemented RFC 6125-compliant hostname verification for Ruby's OpenSSL extension (a.k.a. CVE-2015-1855): https://github.com/ruby/openssl/pull/12/files I'd be happy to do a Rust implementation. |
Worth noting this is also an issue in Servo: servo/servo#4954 |
I just started an RFC6125 hostname verification library for Rust: |
One thing I'm curious about... what type is used for representing presented identifiers? I think I'd like the internal implementation of this library to be done completely as |
Hyper doesn't seem to do any TLS verification right now with the default client settings. Any untrusted certificate goes. |
@tarcieri I don't know what |
@seanmonstar the subjectAlternativeNames (SANs) or Common Names (CNs) in X.509 certificates |
Ah, I have no idea. That would be in the openssl lib, no? On Sun, Apr 26, 2015, 2:21 PM Tony Arcieri [email protected] wrote:
|
It's beginning to seem like |
Since it hasn't been explicitly stated in here, here's a relevant project: https://github.com/briansmith/webpki |
@frewsxcv +1 for that |
What is a good API for disabling TLS verification when the user desires it? Environment variable? Argument to the connection object? |
Disabling security based on environment variables sounds dangerous. |
Hopefully, this will not be possible. |
Additionally disables SSLv2 and SSLv3, as those are universally considered unsafe. Closes #472
An easy approach would be to make your own implementation of |
Although it should go without saying that disabling certificate verification is a terrible thing to do, there will be developers who will want to disable it and will find a way to do so whether or not Hyper provides an API for it. Rather than leaving developers to their own devices, I think Hyper should provide an API to disable verification for two reasons:
|
I'm -1 on an option to disable verification. Rebuttal to AGWA's two points above: 1) An entire type that does nothing but circumvent verification has a bigger footprint than an environment variable. I don't think making it easy to grep for is a good thing to optimize for. 2) The kind of developer that would do what you're describing will still just copy/paste whatever they read on Stack Overflow, regardless of whether or not the the flag has "insecure" in the name. |
Use openssl-verify to check certificate + hostname Fixes #4954. r? @jdm This is based on hyperium/hyper#472, though it doesn't re-use that code directly because Servo configures its own OpenSSL context. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/11115) <!-- Reviewable:end -->
I have a bunch of use cases where disabling certificate validation is needed, mainly related to use on machines not connected to internet (the case at my company):
More than that, it should also be possible to enable old, insecure ciphers in a relatively easy way mainly to be able to talk to clients/servers not supporting TLS1.2 (everything using Java 1.7 or older). Hyper should be flexible enough to support these use cases. Defaults can be to enable most secure options but give the user the possibility to configure hyper according to his/her needs. I have opened #811 for this. Edit: fix a typo |
@maximih Hyper already allows all of the configuration you asked for by manually configuring the Openssl object: http://hyper.rs/hyper/v0.9.6/hyper/net/struct.Openssl.html |
Note that running an X.509 PKI that broken only offers the illusion of security. Re: TLS 1.2 and Java 1.7, it's supported out-of-the-box by the Sun JSSE provider. |
Just noticed this, it seems like in this case it may be a waste to use TLS at all. If talking over a local network that you own and control, you can get performance improvements by not encrypting everything. Unless there are others on your local network that you want to protect yourself from, I guess?
This is exactly the current case. Default is to be secure. If one wants to alter away from the defaults, you can utilize the |
Not necessarily. There are other local use cases that benefit from skipping verification. For example:
Using curl/libcurl for those use-cases is trivial and just works. |
@MoSal I buy @AGWA's argument that having a standard notation that's easy to grep for is desirable. That said, while I'm glad you think curl makes it super easy to shut off the security, I'm not sure that's actually a desirable property. I think the world would be a better place if there were no |
…ame (from mbrubeck:openssl-verify); r=jdm Fixes #4954. r? jdm This is based on hyperium/hyper#472, though it doesn't re-use that code directly because Servo configures its own OpenSSL context. Source-Repo: https://github.com/servo/servo Source-Revision: 40be84df26ce3ce80851e751374154c015506921 UltraBlame original commit: 4403e83bbb8e763bb0f0e8509051a286eb73ec41
…ame (from mbrubeck:openssl-verify); r=jdm Fixes #4954. r? jdm This is based on hyperium/hyper#472, though it doesn't re-use that code directly because Servo configures its own OpenSSL context. Source-Repo: https://github.com/servo/servo Source-Revision: 40be84df26ce3ce80851e751374154c015506921 UltraBlame original commit: 4403e83bbb8e763bb0f0e8509051a286eb73ec41
…ame (from mbrubeck:openssl-verify); r=jdm Fixes #4954. r? jdm This is based on hyperium/hyper#472, though it doesn't re-use that code directly because Servo configures its own OpenSSL context. Source-Repo: https://github.com/servo/servo Source-Revision: 40be84df26ce3ce80851e751374154c015506921 UltraBlame original commit: 4403e83bbb8e763bb0f0e8509051a286eb73ec41
Currently, hyper does not provide any hostname verification when working with TLS. Ideally, Hyper would use a library similar to https://github.com/pyca/service_identity to prevent MITM attacks from happening.
The text was updated successfully, but these errors were encountered: