Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update HTTP-TPC to ignore whether certificates have allowed namespace #68

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

paulmillar
Copy link

Motivation:

Namespace checking rejects certificates if the subject DN is not one of the allowed values for that certificate's CA. A list of allowed subject DNs is maintained by IGTF for their trust store.

There are two problems with this approach.

  1. it is IGTF specific. There is no equivalent for CA/B, making interoperability with CA/B-approved CAs non-trivial.

  2. for HTTP-TPC, the check is pointless. It protects the certificate's Subject DN, which plays no role in the identity of the remote site. Instead, the X.509 v3 Subject Alternative Name is used, instead.

Modification:

Update the SSLContext (which includes the certificate chain validation) for the Apache HTTP client. There is (no longer) any namespace checking for such certificates.

Note that the namespace checking for client X.509 certificates (which is the intended target of namespace checking) is unaffected by this change.

Result:

HTTP-TPC now works with remote sites that have a CA/B certificate and using the system standard trust store.

Closes: #65

Motivation:

Namespace checking rejects certificates if the subject DN is not one of
the allowed values for that certificate's CA.  A list of allowed subject
DNs is maintained by IGTF for their trust store.

There are two problems with this approach.

  1. it is IGTF specific.  There is no equivalent for CA/B, making
     interoperability with CA/B-approved CAs non-trivial.

  2. for HTTP-TPC, the check is pointless.  It protects the
     certificate's Subject DN, which plays no role in the identity of
     the remote site.  Instead, the X.509 v3 Subject Alternative Name is
     used, instead.

Modification:

Update the SSLContext (which includes the certificate chain validation)
for the Apache HTTP client.  There is (no longer) any namespace checking
for such certificates.

Note that the namespace checking for client X.509 certificates (which is
the intended target of namespace checking) is unaffected by this change.

Result:

HTTP-TPC now works with remote sites that have a CA/B certificate and
using the system standard trust store.

Closes: italiangrid#65
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Namespace checking applied to host certificates under HTTP-TPC
2 participants