<div dir="ltr"><div><div><div>I just had a big laugh Reading this. I never had to dig into openssl before so I unfortunately had to try to understand your API with eventmachine as an example. Silly me.</div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="font-family:arial,sans-serif;color:rgb(68,68,68)">On the other hand I suppose if we do not call this it would pick the "default" trust store from the system which seems to be the case here because it can find </span><span style="font-family:arial,sans-serif">/usr/lib/ssl/certs/</span><span style="font-family:arial,sans-serif">2e5ac55d.0 . <br></span></blockquote><span style="font-family:arial,sans-serif"><div><span style="font-family:arial,sans-serif"><br></span></div>Actually the part responsible for this lookup is not part of the openssl library but from the ruby callback function registered through SSL_set_verify which as you said tries to verify each certificate in isolation ( with a configured store this time )<br><br>So I suppose openssl skip the part that is supposed to build the chain when no store is configured.<br><br></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Do whatever it takes to never rely on this code again. Even abandon Ruby if that's what it takes...</blockquote><div><br></div><div> Hopefully we do not have a lot of code relying on eventmachine so we'll see if we can improve the library or move away from it.</div></div><div><br></div><div>Thanks so much for your time, explanation and responsiveness.</div><div dir="auto"><div dir="auto"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 3 Oct 2021, 17:37 Viktor Dukhovni, <<a href="mailto:openssl-users@dukhovni.org" target="_blank">openssl-users@dukhovni.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sun, Oct 03, 2021 at 01:54:44PM +0200, Alex Robuchon wrote:<br>
<br>
> Thanks for the detailed answer.<br>
> <br>
> From strace I can see that I'm using /lib/x86_64-linux-gnu/libssl.so.1.1<br>
> <br>
> When I use the eventmachine lib that uses the wrong cert chain I can see<br>
> with strace :<br>
<br>
Run as far away from eventmachine as you can. The very first thing you<br>
see in the code is a compiled in default "private key" (for all the<br>
world to share).<br>
<br>
<a href="https://github.com/eventmachine/eventmachine/blob/5cac87805f26b5cdc29eca713871c3374131d786/ext/ssl.cpp#L30-L123" rel="noreferrer noreferrer" target="_blank">https://github.com/eventmachine/eventmachine/blob/5cac87805f26b5cdc29eca713871c3374131d786/ext/ssl.cpp#L30-L123</a><br>
<br>
Though applications can override these, and supply actual private keys,<br>
it does not get better from there... The comments in the code show the<br>
author punting on understanding the OpenSSL API and just guessing what<br>
to do.<br>
<br>
Indeed the code creates SSL_CTX objects without specifying either the<br>
default or explicit trust stores.<br>
<br>
The real disaster is in:<br>
<br>
<a href="https://github.com/eventmachine/eventmachine/blob/5cac87805f26b5cdc29eca713871c3374131d786/ext/ssl.cpp#L675-L698" rel="noreferrer noreferrer" target="_blank">https://github.com/eventmachine/eventmachine/blob/5cac87805f26b5cdc29eca713871c3374131d786/ext/ssl.cpp#L675-L698</a><br>
<br>
with a completely broken SSL verification callback, that completely<br>
ignores all errors from the chain construction and signature<br>
verification code, and just attempts to "verify" each certificate in<br>
*isolation*.<br>
<br>
<a href="https://github.com/eventmachine/eventmachine/blob/5cac87805f26b5cdc29eca713871c3374131d786/ext/ssl.cpp#L693-L697" rel="noreferrer noreferrer" target="_blank">https://github.com/eventmachine/eventmachine/blob/5cac87805f26b5cdc29eca713871c3374131d786/ext/ssl.cpp#L693-L697</a><br>
<br>
This means:<br>
<br>
* No verification of chain signatures<br>
* No verification of path constraints<br>
* No verification of name constraints<br>
* No hostname checks.<br>
* ...<br>
<br>
This code was written by someone too clueless to know what they're<br>
doing and too lazy to bother to learn. DO NOT USE IT.<br>
<br>
Do whatever it takes to never rely on this code again. Even abandon<br>
Ruby if that's what it takes...<br>
<br>
-- <br>
Viktor.<br>
</blockquote></div>