hiredis icon indicating copy to clipboard operation
hiredis copied to clipboard

Published 20 hours ago verified publisher icon redis

TLS: Validate the hostname of the server certificate

Open mkauf opened this issue 3 years ago • 3 comments

Avoid MITM attacks by checking whether the server's certificate contains the server's hostname.

Currently this works only with OpenSSL 1.1.0 or newer.

mkauf avatar Aug 12 '20 14:08 mkauf

Hi, thanks for the PR!

The code looks fine to me. The only question I have is whether users are going to want to make the check optional (as opposed to always happening with OpenSSL >= 1.1.0 when they specify server_name).

Is the problem that SSL_set_tlsext_host_name doesn't by itself actually do any hostname validation?

@yossigo Any thoughts?

michael-grunder avatar Aug 13 '20 19:08 michael-grunder

Is the problem that SSL_set_tlsext_host_name doesn't by itself actually do any hostname validation?

Yes, it only sets the SNI hostname. This name is not used to validate the server certificate.

mkauf avatar Aug 17 '20 08:08 mkauf

@mkauf Thanks for this PR for raising this issue in the first place!

Technically this is a breaking change because anyone who's using SNI but don't have compatible certs would experience connection errors. As hiredis 1.0.0 was just released I think we may be okay with that, but would like to raise two points:

  1. I think we need an option to disable name checks, even if SNI is used. I'd consider something like redisSSLContextSetOptions(ctx, REDIS_SSL_NO_HOSTNAME_CHECK);
  2. OpenSSL 1.0.x is still widely used and we'd want hiredis to behave the same way on both versions.

@michael-grunder Does this make sense to you?

yossigo avatar Aug 17 '20 18:08 yossigo