Skip to content

Fixup to nixification: correctly load root CA TLS/SSL certificates in http(s) managers #2772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jschaul merged 7 commits into from
Oct 19, 2022
Merged

Fixup to nixification: correctly load root CA TLS/SSL certificates in http(s) managers #2772

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
4f92925
cacert-fixup attempt
jschaul Oct 18, 2022
67a5563
Use SSL.contextSetDefaultVerifyPaths so we respect SSL_CERT_FILE env var
akshaymankar Oct 19, 2022
655a4e0
Revert "cacert-fixup attempt"
akshaymankar Oct 19, 2022
c8d61be
Set SSL_CERT_FILE in all docker images
akshaymankar Oct 19, 2022
6e811b8
Changelog
akshaymankar Oct 19, 2022
2d59beb
Redundant imports
akshaymankar Oct 19, 2022
ff90a63
more redundant imports
jschaul Oct 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion changelog.d/0-release-notes/nix-builds
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Build docker images using nix derivations instead of Dockerfiles (#2331, ##)
Build docker images using nix derivations instead of Dockerfiles (#2331, #2771, #2772)
1 change: 1 addition & 0 deletions nix/wire-server.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ let lib = pkgs.lib;
'';
config = {
Entrypoint = ["${pkgs.dumb-init}/bin/dumb-init" "--" "${drv}/bin/${execName}"];
Env = ["SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"];
};
}
) (staticExecs localMods);
Expand Down
5 changes: 2 additions & 3 deletions services/brig/src/Brig/App.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,6 @@ import Network.HTTP.Client.OpenSSL
import OpenSSL.EVP.Digest (Digest, getDigestByName)
import OpenSSL.Session (SSLOption (..))
import qualified OpenSSL.Session as SSL
import qualified OpenSSL.X509.SystemStore as SSL
import Polysemy
import Polysemy.Final
import qualified Ropes.Nexmo as Nexmo
Expand Down Expand Up @@ -339,7 +338,7 @@ initHttpManager = do
SSL.contextSetCiphers ctx "HIGH"
SSL.contextSetVerificationMode ctx $
SSL.VerifyPeer True True Nothing
SSL.contextLoadSystemCerts ctx
SSL.contextSetDefaultVerifyPaths ctx
-- Unfortunately, there are quite some AWS services we talk to
-- (e.g. SES, Dynamo) that still only support TLSv1.
-- Ideally: SSL.contextAddOption ctx SSL_OP_NO_TLSv1
Expand Down Expand Up @@ -369,7 +368,7 @@ initExtGetManager = do
-- We use public key pinning with service providers and want to
-- support self-signed certificates as well, hence 'VerifyNone'.
SSL.contextSetVerificationMode ctx SSL.VerifyNone
SSL.contextLoadSystemCerts ctx
SSL.contextSetDefaultVerifyPaths ctx
mgr <-
newManager
(opensslManagerSettings (pure ctx)) -- see Note [SSL context]
Expand Down
3 changes: 1 addition & 2 deletions services/cargohold/src/CargoHold/App.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@ import Network.HTTP.Client.OpenSSL
import Network.Wai.Utilities (Error (..))
import OpenSSL.Session (SSLContext, SSLOption (..))
import qualified OpenSSL.Session as SSL
import qualified OpenSSL.X509.SystemStore as SSL
import System.Logger.Class hiding (settings)
import qualified System.Logger.Extended as Log

Expand Down Expand Up @@ -132,7 +131,7 @@ initSSLContext = do
SSL.contextAddOption ctx SSL_OP_NO_SSLv2
SSL.contextAddOption ctx SSL_OP_NO_SSLv3
SSL.contextSetCiphers ctx "HIGH"
SSL.contextLoadSystemCerts ctx
SSL.contextSetDefaultVerifyPaths ctx
SSL.contextSetVerificationMode ctx $
SSL.VerifyPeer True True Nothing
pure ctx
Expand Down
3 changes: 1 addition & 2 deletions services/galley/src/Galley/App.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,6 @@ import Network.HTTP.Client (responseTimeoutMicro)
import Network.HTTP.Client.OpenSSL
import qualified Network.Wai.Utilities.Error as Wai
import OpenSSL.Session as Ssl
import qualified OpenSSL.X509.SystemStore as Ssl
import Polysemy
import Polysemy.Error
import Polysemy.Input
Expand Down Expand Up @@ -189,7 +188,7 @@ initHttpManager o = do
Ssl.contextAddOption ctx SSL_OP_NO_SSLv3
Ssl.contextAddOption ctx SSL_OP_NO_TLSv1
Ssl.contextSetCiphers ctx rsaCiphers
Ssl.contextLoadSystemCerts ctx
Ssl.contextSetDefaultVerifyPaths ctx
newManager
(opensslManagerSettings (pure ctx))
{ managerResponseTimeout = responseTimeoutMicro 10000000,
Expand Down
3 changes: 1 addition & 2 deletions services/galley/src/Galley/Env.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ import Network.HTTP.Client
import Network.HTTP.Client.OpenSSL
import OpenSSL.EVP.Digest
import OpenSSL.Session as Ssl
import qualified OpenSSL.X509.SystemStore as Ssl
import Ssl.Util
import System.Logger
import Util.Options
Expand Down Expand Up @@ -80,7 +79,7 @@ initExtEnv = do
Ssl.contextAddOption ctx SSL_OP_NO_SSLv3
Ssl.contextAddOption ctx SSL_OP_NO_TLSv1
Ssl.contextSetCiphers ctx rsaCiphers
Ssl.contextLoadSystemCerts ctx
Ssl.contextSetDefaultVerifyPaths ctx
mgr <-
newManager
(opensslManagerSettings (pure ctx))
Expand Down
3 changes: 1 addition & 2 deletions services/galley/test/integration/API/SQS.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ import Imports
import Network.HTTP.Client
import Network.HTTP.Client.OpenSSL
import OpenSSL.Session as Ssl
import qualified OpenSSL.X509.SystemStore as Ssl
import Proto.TeamEvents as E
import Proto.TeamEvents_Fields as E
import Safe (headDef)
Expand Down Expand Up @@ -243,7 +242,7 @@ initHttpManager = do
Ssl.contextAddOption ctx SSL_OP_NO_SSLv3
Ssl.contextAddOption ctx SSL_OP_NO_TLSv1
Ssl.contextSetCiphers ctx rsaCiphers
Ssl.contextLoadSystemCerts ctx
Ssl.contextSetDefaultVerifyPaths ctx
newManager
(opensslManagerSettings (pure ctx)) -- see Note [SSL context]
{ managerResponseTimeout = responseTimeoutMicro 10000000,
Expand Down