-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid server extensions error on private grpc service #446
Comments
Dear @mbacarella, thanks for your issue report. The error is an "Authentication Failure", with "leaf certificate ... invalid server extensions". This originates from the X.509 library which implements the authentication. Now, the function in question is the one about validating server extensions: https://github.com/mirleft/ocaml-x509/blob/v0.16.0/lib/validation.ml#L176-L187 And this one requires the "BasicConstraints CA=false", while your certificate contains "basicConstraints CA true depth none" -- so I wonder why your server has a CA certificate (which is able to sign other certificates), or whether this has been done accidentally? I know that the X.509 code was written as being as strict as possible, and don't know off the top of my head which RFC or recommendation was to ensure that CA=false. I can see two paths:
|
Hi @hannesm, thanks for the explanation. I'm connecting to the Lightning Network daemon ( I now notice that it appears that uses of the So, we're in good company I suppose. Not that this is necessarily an argument, but the openssl client supports this and I can connect to that endpoint using Are we okay with exposing an option from the ocaml X509 library to relax this strictness for the sake of interoperability? |
Off the top of my head I don't remember which functionality is exposed by X509 atm -- you could build your own authenticator... But I'd be fine with a specific |
For the sake of future generations, here's how I resolved this. I had started working on this but it felt wrong to add this to I looked into constructing my own So, I simply inserted a forked copy of x509 in my project that works around this. |
CHANGES: * Validation: allow self-signed server certificate with BasicConstraints CA=true (reported by @mbacarella in mirleft/ocaml-tls#446 (lightningnetwork/lnd#5450), fix mirleft/ocaml-x509#161 by @hannesm)
For posterity, this turned out to have a much simpler solution. See here instead mirleft/ocaml-x509#160 (comment) |
Hi there. Thank you for the pure-OCaml TLS implementation.
I'm attempting to port code that uses
Async_ssl
over to useTls_async
instead.The code accesses a gRPC service without public endpoints, so I need to provide a ca file copied from the server. This flow actually works fine with
Async_ssl
, but fails with an "invalid server extensions" error when I provide the ca file toTls_async
.I also tried
Tls_async
without the ca file and it connected fine. Maybe I'm configuring the client wrong?Error message
Thanks for any light that could be shed here.
The text was updated successfully, but these errors were encountered: