On Sun, Jul 27, 2014 at 3:49 AM, Florian Zumbiehl <fl...@florz.de> wrote:
>
> > Is this an area where the current behavior cannot be used safely? No.
> > Indeed, using CAs in circumstances where OpenSSL doesn't may create
> > security issues for existing scripts using the openssl command.
> >
> > *If* using the compiled in paths is correct, then I would think using the
> > setup_verify() function and thus following the behavior of "smime" and
> > "ocsp" would be a better choice, but changing that behavior seems unwise.
>
> Ignoring the details of what the correct behaviour should look like for the
> moment, but I think you fell victim to the confusion potential of the
> current code? The current code most certainly does not do what users
> expect, or what the documentation claims, or even what could make sense in
> even the most contrived scenario, and can easily cause security problems if
> you aren't extra careful (that is, unless you test whether it actually does
> what you expect it to do):
>
> | if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
> | (!SSL_CTX_set_default_verify_paths(ctx))) {
>
> If loading the CAs specified by the user succeeds, we next override that by
> loading the default instead.
>
Ha! Ain't this code great! You're correct that I misread it. So right
now:
* If you don't specify either option, no CAs will be available
* if you specify -CAfile and it can't be loaded, then no CAs will be
available
* if you specify -CApath and either it's the zero-length path ("") or
there's a malloc failure in the string parsing, then only the CAs from the
-CAfile option (if any) will be available
* if you specified either -CAfile or -CApath or both and neither failed
(i.e., none of the above cases), then those CAs *and* the CAs in the
default paths will be available
Those are...amazing...semantics.
The proposed patch would, if I'm reading it correctly, change the semantics
to instead be:
* if you don't specify either option, you get the CAs in the default paths
* if you specify -CAfile and it can't be loaded, then no CAs will be
available
* if you specify -CApath and either it's the zero-length path ("") or
there's a malloc failure in the string parsing, then only the CAs from the
-CAfile option (if any) will be available
* if you specified either -CAfile or -CApath or both and neither failed
(i.e., none of the above cases), then only those CAs will be available
That is, it would move the default CA loading from the "specified either or
both option and nothing failed" case to the "specified neither option"
case. Yes?
Philip Guenther
