💾 Archived View for thrig.me › tech › ssl › hashdir.gmi captured on 2023-06-16 at 17:39:36. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-04-19)

-=-=-=-=-=-=-

SSL Directory Hash

SSL implementations may support either a list of certificates in a file, a directory full of certificates, or both. Either method can have problems.

Probably a file that contains certificates is more common, though a directory could also be supported depending on what calls the software makes, and how a vendor has setup certificates on a system.

Defaults

If the files or directory is unknown, process tracing may show what is going on. Or you can dig through the source code. The following assumes OpenBSD 7.3.

    $ printf 'GET / HTTP/1.0\r\n\r\n' | ktrace nc -c thrig.me 443 >/dev/null
    $ kdump | grep NAMI | grep ssl
      3080 nc       NAMI  "/usr/lib/libssl.so.53.2"
      3080 nc       NAMI  "/etc/ssl/cert.pem"
      3080 nc       NAMI  "/etc/ssl/cert.pem"

So nc(1) only looks at /etc/ssl/cert.pem and not a directory of certificates. By way of contrast the Net::Gemini code does look at /etc/ssl for something:

    $ ktrace gmitool get gemini://thrig.me >/dev/null
    $ kdump | grep NAMI | grep ssl
     38804 perl     NAMI  "/usr/lib/libssl.so.53.2"
     38804 perl     NAMI  "/etc/ssl"
     38804 perl     NAMI  "/etc/ssl/certs"
     38804 perl     NAMI  "/etc/ssl/cert.pem"
     38804 perl     NAMI  "/etc/ssl/cert.pem"

Hashing

A detail that might be overlooked is that the certificates in a directory may need to be hashed. Also there can only be one certificate per file. And of course the software must use some call to load certificates from a directory. And other caveats.

A functional example would be to take the certificate for this capsule, hash it into a directory, and to write code that trusts only certificates in that directory.

thrig.pem

    $ mkdir ca
    $ cp thrig.pem ca
    $ cd ca
    $ ln -s thrig.pem `openssl x509 -noout -hash -in thrig.pem`.0
    $ cd ..

The hashing code needs to be a bit more complicated than this, see the fine manual or other such example code. In particular the suffix may vary when there are multiple certificates in a directory.

And now some test code:

hash.pl

    $ ktrace perl hash.pl
    20
    $ kdump | fgrep ./ca/
     43981 perl     NAMI  "./ca/ed7ac070.0"
     43981 perl     NAMI  "./ca/ed7ac070.0"
     43981 perl     NAMI  "./ca/ed7ac070.1"

And another test to confirm that verification fails after the link is removed:

    $ rm ca/ed*
    $ perl hash.pl
    nope: ,SSL connect attempt failed error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed

See Also

http://man.openbsd.org/man3/SSL_CTX_load_verify_locations.3

http://man.openbsd.org/man3/tls_config_set_ca_path.3

https://metacpan.org/pod/Net::Gemini

index.gmi