💾 Archived View for thrig.me › tech › ssl › hashdir.gmi captured on 2023-06-16 at 17:39:36. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-04-19)
-=-=-=-=-=-=-
SSL implementations may support either a list of certificates in a file, a directory full of certificates, or both. Either method can have problems.
Probably a file that contains certificates is more common, though a directory could also be supported depending on what calls the software makes, and how a vendor has setup certificates on a system.
If the files or directory is unknown, process tracing may show what is going on. Or you can dig through the source code. The following assumes OpenBSD 7.3.
$ printf 'GET / HTTP/1.0\r\n\r\n' | ktrace nc -c thrig.me 443 >/dev/null $ kdump | grep NAMI | grep ssl 3080 nc NAMI "/usr/lib/libssl.so.53.2" 3080 nc NAMI "/etc/ssl/cert.pem" 3080 nc NAMI "/etc/ssl/cert.pem"
So nc(1) only looks at /etc/ssl/cert.pem and not a directory of certificates. By way of contrast the Net::Gemini code does look at /etc/ssl for something:
$ ktrace gmitool get gemini://thrig.me >/dev/null $ kdump | grep NAMI | grep ssl 38804 perl NAMI "/usr/lib/libssl.so.53.2" 38804 perl NAMI "/etc/ssl" 38804 perl NAMI "/etc/ssl/certs" 38804 perl NAMI "/etc/ssl/cert.pem" 38804 perl NAMI "/etc/ssl/cert.pem"
A detail that might be overlooked is that the certificates in a directory may need to be hashed. Also there can only be one certificate per file. And of course the software must use some call to load certificates from a directory. And other caveats.
A functional example would be to take the certificate for this capsule, hash it into a directory, and to write code that trusts only certificates in that directory.
$ mkdir ca $ cp thrig.pem ca $ cd ca $ ln -s thrig.pem `openssl x509 -noout -hash -in thrig.pem`.0 $ cd ..
The hashing code needs to be a bit more complicated than this, see the fine manual or other such example code. In particular the suffix may vary when there are multiple certificates in a directory.
And now some test code:
$ ktrace perl hash.pl 20 $ kdump | fgrep ./ca/ 43981 perl NAMI "./ca/ed7ac070.0" 43981 perl NAMI "./ca/ed7ac070.0" 43981 perl NAMI "./ca/ed7ac070.1"
And another test to confirm that verification fails after the link is removed:
$ rm ca/ed* $ perl hash.pl nope: ,SSL connect attempt failed error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
http://man.openbsd.org/man3/SSL_CTX_load_verify_locations.3
http://man.openbsd.org/man3/tls_config_set_ca_path.3