openssl icon indicating copy to clipboard operation
openssl copied to clipboard

Published 20 hours ago verified publisher icon openssl

Improve documentation of TLS Server Name Indication (SNI) and fix its use by CMP client

Open DDvO opened this issue 8 months ago • 4 comments

Add recommendation that TLS clients should use SSL_set_tlsext_host_name() for SNI and that this should be done jointly with using {SSL,X509_VERIFY_PARAM}_{set1,add1}_host(). On this occasion fix nits and omissions in the respective .pod files.

Fix inconsistent use of these functions in the CMP CLI: Any given -tls_host option must take precedence over using the host part of the server URL, and SSL_set_tlsext_host_name() must not be used with IP addresses.

Also fix OSSL_parse_url() going too far when scanning for '@' to detect the end of the userinfo component., going astray when an @ symbol occurs after the host component, for instance in the query component.

Checklist
  • [x] documentation is added or updated
  • [x] tests are added or updated

DDvO avatar Apr 11 '25 19:04 DDvO

BTW, since doing the SNI and hostname/address checks is important for correct and secure TLS connections, how about calling on client side SSL_set_tlsext_host_name() and X509_VERIFY_PARAM_set1_host() by default?

DDvO avatar Apr 11 '25 19:04 DDvO

This needs a rebase due to conflicts.

t8m avatar May 02 '25 12:05 t8m

This needs a rebase due to conflicts.

Done. Also squashed all fixup commits due to review comments.

DDvO avatar May 05 '25 16:05 DDvO

This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago

openssl-machine avatar Jun 15 '25 00:06 openssl-machine

This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago

openssl-machine avatar Jul 17 '25 00:07 openssl-machine

After experimenting with the outcome of the new check_backports CI, I removed 3.0 from the target list because unfortunately there is a trivial merge conflict that I cannot work around in this PR. So a backport to 3.0, if still desirable, will require a separate PR.

I also tried with 3.2, but then noticed that there is some other such merge conflict there, and since 3.2 will anyway expire soon, I removed the 'branch: 3.2' label - so the above CI failure for 3.2 does no more apply.

DDvO avatar Jul 19 '25 09:07 DDvO

Thanks @mattcaswell and @vdukhovni for your comments of mid-June on my simplistic IS_IP_ADDR() - I finally took the time to fix this after getting reminded of this a few days back.

DDvO avatar Jul 19 '25 09:07 DDvO

@vdukhovni did you see that I meanwhile did the suggested fix?

DDvO avatar Jul 31 '25 09:07 DDvO

Can we please now get this bug+doc fix PR done. The new option suggested above by @vdukhovni is going to be added in a separate PR.

DDvO avatar Aug 28 '25 13:08 DDvO

Ping @openssl/committers for further reviews/approvals, please.

DDvO avatar Sep 03 '25 06:09 DDvO

This PR meanwhile should include all needed changes.

Asking again @openssl/committers for review and approvals.

DDvO avatar Sep 11 '25 10:09 DDvO

This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago

openssl-machine avatar Oct 12 '25 00:10 openssl-machine

@vdukhovni as mentioned in mid-August, I believe to have covered your comments. Okay now from your perspective?

DDvO avatar Oct 21 '25 09:10 DDvO

Ping again @vdukhovni

DDvO avatar Nov 01 '25 08:11 DDvO

Ping @openssl/committers for approvals

DDvO avatar Nov 14 '25 08:11 DDvO