Warn when trying to use Basic256Sha256 with a Sha1 certificate

[magiconair]

SecurityPolicy Basic256Sha256 requires a client certificate with a SHA256 signature. A lot of openssl generated certificates have a SHA1 signature. The client should warn that the certificate does not match the security policy since that isn't obvious unless you know where to look.

[dwhutchison]

I don't mind working on this if it's not urgent (been busier than usual lately). The proper fix to this (and probably #217 by extension) is to implement a certificate validation routine. It's required by spec and was on my radar anyway. The idea would be to check the remote certificate for validity (trusted CA, expiration, revocation status, etc.) before connecting to a server so we could use the same routines to verify the client certificate. In addition to the x509 checks we could include checks for policy constraints like this one.

[magiconair]

Sure. Go ahead.

— Frank Schröder

On 6. Jun 2019, at 03:55, dwhutchison [email protected] wrote:

I don't mind working on this if it's not urgent (been busier than usual lately). The proper fix to this (and probably #217 by extension) is to implement a certificate validation routine. It's required by spec and was on my radar anyway. The idea would be to check the remote certificate for validity (trusted CA, expiration, revocation status, etc.) before connecting to a server so we could use the same routines to verify the client certificate. In addition to the x509 checks we could include checks for policy constraints like this one.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.