forge icon indicating copy to clipboard operation
forge copied to clipboard

Published 20 hours ago verified publisher icon digitalbazaar

Should not assume TLS certificate chain is provided in order

Open andersk opened this issue 1 month ago • 0 comments

The TLS 1.2 specification required the certificate chain to be in order:

The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it.

However, in practice, servers are commonly misconfigured to violate this requirement, and so TLS 1.3 relaxed it from MUST to SHOULD:

The sender's certificate MUST come in the first CertificateEntry in the list. Each following certificate SHOULD directly certify the one immediately preceding it.

For compatibility, Forge should not assume the chain is provided in order. It currently assumes this here:

https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L3033-L3039

https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L3059-L3061

andersk avatar Jun 13 '24 22:06 andersk