quicklisp-projects
quicklisp-projects copied to clipboard
quicklisp
please add quicklisp-https
small patch for quicklisp client to enabale https access using dexador https://github.com/snmsts/quicklisp-https
Does dexador signal an error when connecting to a site that presents invalid TLS (e.g. expired cert, bogus cert, bad hostname, etc)?
I'm not sure about SSL well but I got CL+SSL:SSL-ERROR-VERIFY when I access my prepared self signed https server.
How about these:
- https://expired.badssl.com/
- https://wrong.host.badssl.com/
- https://untrusted-root.badssl.com/
- https://revoked.badssl.com/
hmm...
CL-USER> (mapcar (lambda (x) (cons x (multiple-value-list (ignore-errors (dex:get x))))) '("https://expired.badssl.com/"
"https://wrong.host.badssl.com/"
"https://untrusted-root.badssl.com/"
"https://revoked.badssl.com/"))
(("https://expired.badssl.com/" NIL #<CL+SSL:SSL-ERROR-VERIFY #x302001D49F0D>) ("https://wrong.host.badssl.com/" "<!DOCTYPE html>
<html>
<head>
<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">
<link rel=\"shortcut icon\" href=\"/icons/favicon-red.ico\"/>
<link rel=\"apple-touch-icon\" href=\"/icons/icon-red.png\"/>
<title>wrong.host.badssl.com</title>
<link rel=\"stylesheet\" href=\"/style.css\">
<style>body { background: red; }</style>
</head>
<body>
<div id=\"content\">
<h1 style=\"font-size: 12vw;\">
wrong.host.<br>badssl.com
</h1>
</div>
</body>
</html>
" 200 #<HASH-TABLE :TEST EQUAL size 9/60 #x302001DBE07D> #<QURI.URI.HTTP:URI-HTTPS https://wrong.host.badssl.com/> #<SSL-STREAM for #<BASIC-TCP-STREAM ISO-8859-1 (SOCKET/6) #x302001D24CFD>>) ("https://untrusted-root.badssl.com/" NIL #<CL+SSL:SSL-ERROR-VERIFY #x302001DA8BBD>) ("https://revoked.badssl.com/" "<!DOCTYPE html>
<html>
<head>
<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">
<link rel=\"shortcut icon\" href=\"/icons/favicon-red.ico\"/>
<link rel=\"apple-touch-icon\" href=\"/icons/icon-red.png\"/>
<title>revoked.badssl.com</title>
<link rel=\"stylesheet\" href=\"/style.css\">
<style>body { background: red; }</style>
</head>
<body>
<div id=\"content\">
<h1 style=\"font-size: 10vw;\">
revoked.<br>badssl.com
</h1>
</div>
<div id=\"footer\">
The leaf certificate for this site has been revoked.
</div>
</body>
</html>
" 200 #<HASH-TABLE :TEST EQUAL size 9/60 #x302001DDC05D> #<QURI.URI.HTTP:URI-HTTPS https://revoked.badssl.com/> #<SSL-STREAM for #<BASIC-TCP-STREAM ISO-8859-1 (SOCKET/8) #x302001D28B4D>>))
- ok https://expired.badssl.com/
- ng https://wrong.host.badssl.com/
- ok https://untrusted-root.badssl.com/
- ng https://revoked.badssl.com/
Thank you for checking. Is there any way to improve the wrong.host and revoked results?
I asked @fukamachi about it and He said he recognize the issue but pending to support cause he couldn't find how to make it with cl+ssl.
There is a pull request for CL+SSL that is adding support for host checking in ssl. For revoked certificates it is a bit more difficult as checking those means downloading another file. The servers that serve those files can be really slow, as a result almost no libraries check them (pythons urllib doesn't, go's net/http doesn't, curl doesn't).
So I think enabling SSL would be useful even if revoked certificates would not get checked yet, as this is the behavior of many projects. Furthermore cl+ssl should probably get a function to check if a certificate was revoked, however this is not really easy.
Cl-tls is a more or less fully featured tls 1.2 implementation, and it can check for revocation via OCSP. cl+ssl could adopt the ocsp implementation used by cl-tls.
CL-USER> (mapcar (lambda (x) (cons x (multiple-value-list (ignore-errors (dex:get x))))) '("https://expired.badssl.com/"
"https://wrong.host.badssl.com/"
"https://untrusted-root.badssl.com/"
"https://revoked.badssl.com/"))
(("https://expired.badssl.com/" NIL #<CL+SSL:SSL-ERROR-VERIFY {10053A0223}>)
("https://wrong.host.badssl.com/" NIL
#<CL+SSL::UNABLE-TO-MATCH-ALTNAMES {1005701783}>)
("https://untrusted-root.badssl.com/" NIL
#<CL+SSL:SSL-ERROR-VERIFY {1005718C53}>)
("https://revoked.badssl.com/" "<!DOCTYPE html>
<html>
<head>
<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">
<link rel=\"shortcut icon\" href=\"/icons/favicon-red.ico\"/>
<link rel=\"apple-touch-icon\" href=\"/icons/icon-red.png\"/>
<title>revoked.badssl.com</title>
<link rel=\"stylesheet\" href=\"/style.css\">
<style>body { background: red; }</style>
</head>
<body>
<div id=\"content\">
<h1 style=\"font-size: 10vw;\">
revoked.<br>badssl.com
</h1>
</div>
<div id=\"footer\">
The leaf certificate for this site has been revoked.
</div>
</body>
</html>
"
200 #<HASH-TABLE :TEST EQUAL :COUNT 9 {1005A92433}>
#<QURI.URI.HTTP:URI-HTTPS https://revoked.badssl.com/>
#<CL+SSL::SSL-STREAM for #<FD-STREAM for "socket 192.168.10.142:47890, peer: 104.154.89.105:443" {100571EBC3}>>))
update.
- ok https://expired.badssl.com/
- ok https://wrong.host.badssl.com/
- ok https://untrusted-root.badssl.com/
- ng https://revoked.badssl.com/
On windows I got this
and when i drill down into WIN-ERROR I get code 12175
which is invalid CA
This is with quickloading dexador without this patch
I think a) dexador is correctly returning the right error code without this patch so b) I think we can close this issue.
Incidentally ran this against a good site https://www.microsoft.com and all good