Hostname verification #206
Comments
|
A certificate validation library has appeared written by @briansmith! |
|
What would be required to integrate https:/briansmith/webpki into |
|
The work would be pretty extensive, I believe - webpki has its own set of types for certificates, ciphers, etc. |
|
One limitation: ring and webpki have not been published on crates.io. |
|
I'm working on hostname verification logic based off of libcurl's for https:/sfackler/rust-native-tls. I'll either spin it off into its own crate when it's done or possibly even merge it into rust-openssl itself. |
|
I would suggest using webpki if possible: hostname verification is entangled with certificate verification in the form of name constraints. Verifying hostnames correctly involves being able to reconcile the two. @briansmith is webpki in a state where you can publish a crate? |
|
It looks like OpenSSL's certificate validation logic will handle name constraints in versions 1.0.0 and higher: http://openssl.6102.n7.nabble.com/NameConstraints-are-not-being-applied-or-I-don-t-know-how-to-enforce-them-tp27065p27071.html |
|
I have a translation of curl's logic in a crate: https:/sfackler/rust-openssl-verify. I'm not going to publish it to crates.io until I build out tests to check at least some of the relevant cases. |
|
@sfackler this is done now, right? |
|
I wouldn't say that as of yet. Once we bind OpenSSL 1.1's built in support I'd be okay closing this though. There's a related issue of providing a higher level interface so people don't have to remember to adjust their cipher suites, enable cert verification, etc. |
It would be nice if rust-openssl provided a hostname verification API.
Hostname verification is an issue intimately tied to a particular SSL/TLS stack. Some questions that must be resolved are:
Unfortunately OpenSSL (aside from the unreleased "1.1.0" version) does not implement hostname verification at all.
I have plans on working on an RFC 6125-compliant hostname verification library in Rust that implements the "best practices" for hostname verification generally adopted by both Chrome and Firefox:
https:/tarcieri/pkixnames
I am trying to aim for a least common denominator API that multiple TLS libraries could share. Unfortunately, for secure hostname validation, it will require deep integration with rust-openssl too.
This is a general problem in multiple projects, including Servo:
servo/servo#4954
hyperium/hyper#472
Anyway, I'm gonna start working on my hostname verification library. If you think it makes sense to have rust-openssl support, let me know and I can probably help 😉
Alternatives might be integrating with something like Mozilla PKIX, which will definitely be more mature (compared to, say, my current vaporware). However, I think it would be nice to use a Rust library instead of a C++ library if it were sufficiently trustworthy.
The text was updated successfully, but these errors were encountered: