Freeze TLS dependency version #1

svartalf · 2020-02-07T16:29:07Z

Some specific version of native-tls should be used instead of git version:

Lines 48 to 50 in 9618043

    
           [patch.crates-io] 
        
           # Note: fuzzing crate has the same override 
        
           native-tls = { git = "https://github.com/Goirad/rust-native-tls.git", branch = "pkcs8-squashed" }

Yet, native-tls does not support PCKS8 certificates, see sfackler/rust-native-tls#147

As an alternative, rustls can be used if it will be able to handle PCKS8 PEM files and communicate with unbound correctly. Additionally it will mitigate all these issues with building when you are required to have openssl dev files and so on.

The text was updated successfully, but these errors were encountered:

svartalf · 2020-02-12T15:43:46Z

Side note: it seems hardly possible to use rustls instead of OpenSSL, since webpki crate thinks that certificates generated by unbound-control-setup are incorrect, probably due to some of these errors found by certlint:

$ ruby -I lib:ext bin/cablint /etc/unbound/unbound_control.pem
E: Old certificate version (not X.509v3)        unbound_control.pem
I: TLS Server certificate identified    unbound_control.pem
W: TLS Server certificates must include serverAuth key purpose in extended key usage    unbound_control.pem
E: BR certificates must be 825 days in validity or less unbound_control.pem
W: Certificate does not include authorityInformationAccess. BRs require OCSP stapling for this certificate.     unbound_control.pem
E: BR certificates must include certificatePolicies     unbound_control.pem
E: BR certificates must have subject alternative names extension        unbound_control.pem
E: commonNames in BR certificates must be from SAN entries      unbound_control.pem

$ ruby -I lib:ext bin/cablint /etc/unbound/unbound_server.pem
E: Old certificate version (not X.509v3)        unbound_server.pem
I: TLS Server certificate identified    unbound_server.pem
W: TLS Server certificates must include serverAuth key purpose in extended key usage    unbound_server.pem
E: BR certificates must be 825 days in validity or less unbound_server.pem
W: Certificate does not include authorityInformationAccess. BRs require OCSP stapling for this certificate.     unbound_server.pem
E: BR certificates must include certificatePolicies     unbound_server.pem
E: BR certificates must have subject alternative names extension        unbound_server.pem
E: commonNames in BR certificates must be from SAN entries      unbound_server.pem

webpki complains with BadDER error and rustls session fails with the following warning:

WARN  [rustls::session] Sending fatal alert DecodeError

svartalf added the A-exporter Area: exporter label Feb 7, 2020

svartalf added this to the 0.1.0 milestone Feb 7, 2020

svartalf mentioned this issue Feb 12, 2020

Implement PKCS8 certificate support for all three backends. sfackler/rust-native-tls#147

Closed

svartalf closed this as completed Sep 28, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Freeze TLS dependency version #1

Freeze TLS dependency version #1

svartalf commented Feb 7, 2020

svartalf commented Feb 12, 2020

Freeze TLS dependency version #1

Freeze TLS dependency version #1

Comments

svartalf commented Feb 7, 2020

svartalf commented Feb 12, 2020