[Vm-dev] [squeak-dev] SqueakSSL + SAN certificates

Tobias Pape Das.Linux at gmx.de
Thu Aug 20 14:18:31 UTC 2015 

Hi again
(hi sven)

On 02.06.2015, at 05:56, Levente Uzonyi <leves at elte.hu> wrote:

> Hi David,
> 
> There's a debate about how SAN certificates - and server name verification in general - should be handled[1][2].
> I tend to agree with Tobias on verifying the server name in the plugin, but getting there will require further efforts - especially on the unix platform.
> 
> While this version solves a particular case, and is backwards compatible on the image side, I think we should look for a better, more general solution.

I have sketched an Idea how to handle verification in SqueakSSL in general (and briefly presented to Bert),
I'm not yet sure, however, and I'm on vacation the next two weeks. But after
that I'd like to spark a discussion (hoepfully including Sven, for Zodiac) that will involve:

a) no manual verification. Period.
b) fail on non-verification.
c) optional 'unverified' mode that has to be requested explicitly
d) Moving the Unix platform code to libtls (easier to understand)

That's my 2ct for now, more in September.

Best regards
	-Tobias



> 
> Levente
> 
> [1] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184613.html
> [2] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184631.html
> 
> On Mon, 1 Jun 2015, David T. Lewis wrote:
> 
>> 
>> Hi Levente,
>> 
>> Regarding your VM changes for SqueakSSL, shall I commit these to the SVN
>> trunk repository? Ian delegated access to platforms/unix so that I can do
>> that for you if you like.
>> 
>> We have several Mantis entries to track your SqueakSSL work:
>> 
>> http://bugs.squeak.org/view.php?id=7751 (Add SSL plugin)
>> http://bugs.squeak.org/view.php?id=7793 (Memory leak in the SqueakSSL plugin on unix)
>> http://bugs.squeak.org/view.php?id=7824 (Add TLS SNI Server Name Indication support to SqueakSSL plugin)
>> 
>> Your latest version http://leves.web.elte.hu/squeak/SqueakSSL/ adds
>> the SAN certificates support, so I think we should commit your latest
>> version and close the Mantis issues.
>> 
>> If you agree I will update the SVN files.
>> 
>> Thanks,
>> Dave
>> 
>> p.s. There are still issues in SqueakSSL when sizeof(sqInt) is 8
>> (64 bit images) but that is a separate discussion.
>> 
>> 
>> 
>> On Tue, May 26, 2015 at 11:55:42PM +0200, Levente Uzonyi wrote:
>>> Hi All,
>>> 
>>> I've implemented support for reading the domain names from the
>>> certificate's SAN extension[1] in SqueakSSL.
>>> The image side code is in the Inbox[2]. It is backwards compatible --
>>> everything works as before without the VM changes.
>>> I've also uploaded the modified files[3][4] for the unix platform, and a
>>> diff[5] (which somehow doesn't include the changes of the .h file).
>>> 
>>> The VM support code for other platforms are to be done.
>>> 
>>> These changes fix the failing SqueakSSL test in the Trunk, so I suggest
>>> including the .mcz file in the 4.6 release.
>>> 
>>> Levente
>>> 
>>> [1] https://en.wikipedia.org/wiki/SubjectAltName
>>> [2]
>>> http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184581.html
>>> [3] http://leves.web.elte.hu/squeak/SqueakSSL/SqueakSSL.h
>>> [4] http://leves.web.elte.hu/squeak/SqueakSSL/sqUnixOpenSSL.c
>>> [5] http://leves.web.elte.hu/squeak/SqueakSSL/diff.txt

More information about the Squeak-dev mailing list