[squeak-dev] SqueakSSL questions and problemsTobias Pape Das.Linux at gmx.deTue Oct 27 20:00:56 UTC 2020
> On 27.10.2020, at 19:31, Douglas Brebner <kirtai+st at gmail.com> wrote: > > Hi, > > I've been playing around with SqueakSSL in Squeak and Cuis recently and found that most of the tests fail under Linux. It seems that the root of the problem is that the example test certificate in SqueakSSL>>#exampleCertFile is both expired (only valid from 2011->2012) and also using cyphers no longer supported in TLS 1.3. This breaks the tests using local connections. > > > I am nowhere even close to being a crypto expert so I'm asking how should this be handled? > > I believe that the certificate was supposed to be replaced every year (or longer with longer valid dates) but don't want to do this without some advice + > Should we just replace the old certificate with a new one with longer validity or should there be some kind of automatic infrastructure to generate them as appropriate? Maybe one that can be downloaded? > + > Another problem I found is that WebClient/SqueakSSL apparently *does not verify* server certificates on MacOS. + > I don't know if this is just in the tests or if it's for all TLS/SSL connection but it should be clarified and/or fixed. > ++> All in all, SqueakSSL _used_to_ only verify on Windows, because it did not work anywhere else. For Unix/openssl, I implemented Cert checking in so far that the hostname is ok, (maybe more? i cant remember), for libressl/libtls, it should validate most things. For Mac, things were meeeh. I even debugged into CommonCrypto and such just to find that it goes "should I verify here?" which was deeeply frustrating. In theory, things should validate, in practice, not so much. > In addition to this, I found that some of the SqueakSSL tests ping Google, Facebook and Yahoo urls. Changing these would be nice. Hmm. These ones are useful and maaaybe are not down so often. Anything we control is bound to have more downtime ¯\_(ツ)_/¯ > > Finally, is SqueakSSL an appropriate name for a *TLS* library used on both Squeak and Cuis? ;) History… > > Thanks > > P.S. Ordinary Squeak client to remote https servers connections work fine on my linux machine. Wireshark shows TLS 1.3 connections. Depends on your OpenSSL library version :) Best regards -Tobias
More information about the Squeak-dev mailing list |