ssl: Skip undecodable certificate_authorities names#11356
Open
ausimian wants to merge 1 commit into
Open
Conversation
Contributor
CT Test Results 2 files 66 suites 25m 32s ⏱️ Results for commit 352c8aa. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts
// Erlang/OTP Github Action Bot |
The TLS CertificateRequest certificate_authorities list is only a hint for client certificate selection. Some real servers advertise CA names that violate PKIX type constraints, for example countryName encoded as UTF8String. Previously ssl_handshake decoded every advertised CA name with public_key:pkix_normalize_name/1. One malformed advisory name could therefore abort the whole handshake with a fatal decode_error, even when the client had no certificate configured. Catch normalization failures and drop only the bad CA name, keeping any valid names in the list. Add a regression test covering a malformed DN from erlangGH-11338 alongside a valid CA name. Fixes erlang#11338
f5e091c to
352c8aa
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix TLS client handshakes failing when a server sends a TLS 1.2
CertificateRequest containing an undecodable CA name in the
certificate_authorities list.
The certificate_authorities list is advisory and is only used as a hint for
client certificate selection. Some real-world servers advertise CA names with
non-conformant encodings, such as countryName encoded as UTF8String. Previously,
one such entry caused
public_key:pkix_normalize_name/1to raise and abort thewhole handshake with a fatal
decode_error.This change skips only the malformed CA name and keeps any valid names.
Changes
certificate_authorities.
name.
Validation
git diff --checkmake -C lib/ssl/src optmake -C lib/ssl test ARGS="-suite ssl_handshake_SUITE -case drop_undecodable_certificate_authorities"./otp_build check --only-opt --no-docs --no-dialyzer --no-license-header --no-format-check --tests sslFixes #11338