From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BCBBF87AE7 for ; Tue, 4 Jan 2022 12:37:42 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AF0801BB7A for ; Tue, 4 Jan 2022 12:37:42 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 7FA0E1BB6C for ; Tue, 4 Jan 2022 12:37:41 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 565324376C for ; Tue, 4 Jan 2022 12:37:35 +0100 (CET) Message-ID: Date: Tue, 4 Jan 2022 12:37:30 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 Content-Language: en-US To: pve-devel@lists.proxmox.com, =?UTF-8?Q?Fabian_Gr=c3=bcnbichler?= References: <20211222135257.3242938-1-f.gruenbichler@proxmox.com> <20211222135257.3242938-7-f.gruenbichler@proxmox.com> From: Fabian Ebner In-Reply-To: <20211222135257.3242938-7-f.gruenbichler@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 1.829 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -3.354 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [main.rs] Subject: Re: [pve-devel] [PATCH v3 proxmox-websocket-tunnel 3/4] add fingerprint validation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2022 11:37:42 -0000 Am 22.12.21 um 14:52 schrieb Fabian Grünbichler: > in case we have no explicit fingerprint, we use openssl's regular "PEER" > verification. if we have a fingerprint, we ignore openssl altogether and > just verify the fingerprint of the presented leaf certificate. > > Signed-off-by: Fabian Grünbichler > --- > > Notes: > v3: switch to using hex instead of no-longer-existing digest_to_hex > v2: new > > src/main.rs | 47 ++++++++++++++++++++++++++++++++++++++++++++--- > 1 file changed, 44 insertions(+), 3 deletions(-) > > diff --git a/src/main.rs b/src/main.rs > index 582214c..49d6ffe 100644 > --- a/src/main.rs > +++ b/src/main.rs > @@ -134,9 +134,50 @@ impl CtrlTunnel { > } > > let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls())?; > - if fingerprint.is_some() { > - // FIXME actually verify fingerprint via callback! > - ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE); > + if let Some(expected) = fingerprint { > + ssl_connector_builder.set_verify_callback( > + openssl::ssl::SslVerifyMode::NONE, > + move |_valid, ctx| { > + let cert = match ctx.current_cert() { > + Some(cert) => cert, > + None => { > + eprintln!("SSL context lacks current certificate."); > + return false; > + } > + }; > + > + let depth = ctx.error_depth(); > + if depth != 0 { > + return true; > + } Sorry about my ignorance. Does using SslVerifyMode::NONE imply that there is an error? At depth 0? Why is it fine to return true if not? > + > + let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) { > + Ok(fp) => fp, > + Err(err) => { > + // should not happen > + eprintln!("failed to calculate certificate FP - {}", err); > + return false; > + } > + }; > + let fp_string = hex::encode(&fp); > + let fp_string = fp_string > + .as_bytes() > + .chunks(2) > + .map(|v| std::str::from_utf8(v).unwrap()) > + .collect::>() > + .join(":"); > + > + let expected = expected.to_lowercase(); > + if expected == fp_string { > + true > + } else { > + eprintln!("certificate fingerprint does not match expected fingerprint!"); > + eprintln!("expected: {}", expected); > + eprintln!("encountered: {}", fp_string); > + false > + } > + }, > + ); > } else { > ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::PEER); > }