Page MenuHomePhabricator
Differential D18181

Append the intermediate chain to the "cert" parameter in Aphlict
ClosedPublic
Actions

Authored by alexmv on Jul 4 2017, 4:57 AM.
Tags
None
Referenced Files
F13060951: D18181.diff
Fri, Apr 19, 6:38 PM
Unknown Object (File)
Thu, Apr 18, 12:16 PM
Unknown Object (File)
Thu, Apr 11, 7:24 AM
Unknown Object (File)
Sun, Mar 31, 10:15 PM
Unknown Object (File)
Sat, Mar 30, 4:49 AM
Unknown Object (File)
Mar 4 2024, 6:42 AM
Unknown Object (File)
Feb 4 2024, 3:36 AM
Unknown Object (File)
Feb 3 2024, 4:19 PM
View All 80 Files
Subscribers
epriestley
Korvin

Details

Reviewers
epriestley
Group Reviewers
Blessed Reviewers
Commits
rP11f1c1391555: Append the intermediate chain to the "cert" parameter in Aphlict
Summary

Per the documentation[1], any intermediate chain is to be
appended to the "cert" parameter. The "ca" parameter controls the
root CA used to authenticate the client certificate, if one is
provided, and is not used for intermediate certificate chains -- nor
has it ever been. It is not clear how this could have worked in the
past[2].

[1] https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
[2] D15709

Test Plan

Before this diff, with node 4.2.6 from Ubuntu packages:

$ openssl s_client -connect phabricator.dropboxer.net:22280 -verify 5 -CApath /etc/ssl/certs/
verify depth is 5
CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA

After:

$ openssl s_client -connect phabricator.dropboxer.net:22280 -verify 5 -CApath /etc/ssl/certs/
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 1 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

Diff Detail

Repository
rP Phabricator
Branch
up-aphlict-ssl (branched from master)
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 17625
Build 23660: Run Core Tests
Build 23659: arc lint + arc unit

Event Timeline

alexmv created this revision.Jul 4 2017, 4:57 AM
Herald added a reviewer: Blessed Reviewers. · View Herald TranscriptJul 4 2017, 4:57 AM
Herald added a subscriber: epriestley. · View Herald Transcript
Harbormaster completed remote builds in B17625: Diff 43736.Jul 4 2017, 4:58 AM
alexmv added a comment.Jun 25 2018, 4:51 PM

Ping on this?

epriestley accepted this revision.Jun 26 2018, 2:58 PM

(Does this survive a cert file with no terminal newline?)

This revision is now accepted and ready to land.Jun 26 2018, 2:58 PM
Herald added a subscriber: Korvin. · View Herald TranscriptJun 26 2018, 2:58 PM
alexmv added a comment.Jun 26 2018, 7:33 PM
In D18181#240863, @epriestley wrote:

(Does this survive a cert file with no terminal newline?)

Quick testing says no, and adding an extra newline works fine. Thanks for the catch -- I'll land with that adjustment.

alexmv closed this revision.Jun 26 2018, 7:34 PM

Revision Contents
Changeset List

PathSize
support/
aphlict/
server/
11 lines

Diff 43736

View Options

support/aphlict/server/aphlict_server.js

Loading...
Phabricator · Built by Phacility