Introduction and Question
Andre
I am new to this list, so an introduction is in order. My name is
Andre Fischer.
For about 11 years I am working on Apache OpenOffice (formerly known
as
OpenOffice.org) and are employed by IBM (before that Sun and Oracle.)
At the moment I am helping Oliver (who introduced himself recently
here on
this list) to replace Apache OpenOffice's use of Neon with Serf.
I have a question regarding SSL authentication with serf: most of the
authentication is done by openssl. Only when one of the certificates
in a certifcate chain can not be authenticated, openssl calls back
into serf to resolve the problem. Serf (in
validate_server_certificate())
basically forwards the call to server_cert_callback(), in this case to
OpenOffice.
My problem is that server_cert_callback() only provides access to the
last certificate in the chain, usually a self signed root certificate.
Technically this should be enough information to complete the
authentication, the rest of the chain has already been authenticated
by openssl. However, it is not enough for two reasons:
1) In OpenOffice I am not able to authenticate a single certificate
without the rest of the chain. I have to supply a URL along with the
certificate, and I do not have a URL for the root certificate.
2) If the root certificate can not be authenticated (for whatever
reason) OpenOffice displays a dialog and asks the user if she wants to
accept the certificate anyway. This dialog needs access to the whole
chain or otherwise can not show information that is meaningful to the
user: the user may recoginize the name of his bank but maybe not the
name of public certification authority.
I have found an issue that addresses the same problem [1]. The
attached diff looks straighforward.
Now my questions:
is there a reason why the diff has not yet been applied?
is there a better way to do what I am trying to do?
Best regards,
Andre
[1] http://code.google.com/p/serf/issues/detail?id=68
Greg Stein
That said... are you sure that your callback is not invoked for *each*
certificate in the chain? Recently, we had a problem in libsvn_ra_serf
because it only remembered problems with the server certificate, and
lost errors with the CA certificate. When we correctly accumulated
errors from all certificates, then we found problems with people's
systems not configured to trust the CA :-P
Given that problem, we must have been getting called more than once??
I can see how retrieving the whole chain makes sense, for more
sophisticated UIs to display. Should probably apply that patch, but
I'd like to know more about the callback and why ra_serf got multiple
calls, and you're not...
Cheers,
-g
> --
> You received this message because you are subscribed to the Google Groups "Serf Development List" group.
> To post to this group, send email to serf...@googlegroups.com.
> To unsubscribe from this group, send email to serf-dev+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/serf-dev?hl=en.
>
Andre Fischer
thanks for your fast answer.
On 17.02.2012 23:34, Greg Stein wrote:
> Hopefully, Paul or Justin can chime in here. They worked on the cert code.
>
> That said... are you sure that your callback is not invoked for *each*
> certificate in the chain?
No, I am not sure. Like in OpenOffice there is little documentation for
serf,
so I looked at its code and the documentation of openssl. The later because
during authentication openssl calls serf, which in turn calls the office.
The documentation of SSL_CTX_set_verify() states that its callback (which
is validate_server_certificate() in ssl_buckets.c) is called for every error
(ie certifcate can not be authenticated).
Only after I write my previous mail I discovered that the following sentence
states that the callback is also called when there is no error, just with
a different flag. So I checked validate_server_certificate() again to see
what would happen when it is called when there is no error. I do not see
how in that case serf would call back into the office (except for the
root certificate.)
But I do not know if that case can occur in reality and I certainly do not
know how to create such a certificate chain for testing.
> Recently, we had a problem in libsvn_ra_serf
> because it only remembered problems with the server certificate, and
> lost errors with the CA certificate. When we correctly accumulated
> errors from all certificates, then we found problems with people's
> systems not configured to trust the CA :-P
>
> Given that problem, we must have been getting called more than once??
>
> I can see how retrieving the whole chain makes sense, for more
> sophisticated UIs to display. Should probably apply that patch, but
> I'd like to know more about the callback and why ra_serf got multiple
> calls, and you're not...
Apart from what I said earlier, there is also a question of usability.
Serf already has access to the whole chain of certificates. Would
it not be a bit cumbersome if an application that uses serf has to
wait for all callbacks, collect the certificates, and reconstruct the chain?
Regards,
Andre
Greg Stein
I'm going to evaluate the certificate chain API, and (assuming all
looks good) include that into an upcoming 1.1.0 release. Note the
version bump to 1.1, in order to add the new API. You'll eventually
want to make AOO require serf 1.1.x once I release that version.
Cheers,
-g