Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore X509_V_ERR_AKID_SKID_MISMATCH #67343

Closed
wants to merge 1 commit into from
Closed

Ignore X509_V_ERR_AKID_SKID_MISMATCH #67343

wants to merge 1 commit into from

Conversation

vcsjones
Copy link
Member

OpenSSL 3 started reporting X509_V_ERR_AKID_SKID_MISMATCH when building an X.509 chain that had mismatched AKID/SKIDs.
Previously, this resulted in a PartialChain. This changes the verify callback to ignore X509_V_ERR_AKID_SKID_MISMATCH, and let PartialChain be what ends up getting reported. This is consistent with OpenSSL 1.x.

Closes #67304

@vcsjones
Ignore X509_V_ERR_AKID_SKID_MISMATCH.
a91bf12 
OpenSSL 3 started reporting X509_V_ERR_AKID_SKID_MISMATCH when building an X.509 chain that had mismatched AKID/SKIDs.
Previously, this resulted in a PartialChain. This changes the verify callback to ignore X509_V_ERR_AKID_SKID_MISMATCH,
and let PartialChain be what ends up getting reported. This is consistent with OpenSSL 1.x.
@ghost ghost assigned vcsjones Mar 30, 2022
@ghost
Copy link

ghost commented Mar 30, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

OpenSSL 3 started reporting X509_V_ERR_AKID_SKID_MISMATCH when building an X.509 chain that had mismatched AKID/SKIDs.
Previously, this resulted in a PartialChain. This changes the verify callback to ignore X509_V_ERR_AKID_SKID_MISMATCH, and let PartialChain be what ends up getting reported. This is consistent with OpenSSL 1.x.

Closes #67304

Author: vcsjones
Assignees: -
Labels:

area-System.Security
Milestone: -

@omajid
Copy link
Member

omajid commented Mar 30, 2022

Does this affect 6.0 as well? Will we (or should we) backport the fix?

@vcsjones
Copy link
Member Author

vcsjones commented Mar 30, 2022
edited
Loading

Does this affect 6.0 as well?

Possibly.

Will we (or should we) backport the fix?

As someone who has absolutely no authority on back porting, I think we should, if anything so that our release/6.0 tests don't assert if / when they start running on Ubuntu 22.04.

@omajid
Copy link
Member

omajid commented Mar 30, 2022

so that our tests don't assert if / when they start running on Ubuntu 22.04.

I am running tests with the 6.0 branch too on RHEL 9 (OpenSSL 3.0). For some reason, I don't see a test failure there. The test error only appears on main.

@vcsjones
Copy link
Member Author

Hm. I wonder if this is another result of #65860. Let me see if that PR introduced this regression.

@omajid
Copy link
Member

omajid commented Mar 30, 2022

For some reason, I don't see a test failure there. The test error only appears on main.

That was a PEBKAC. I was building tests, but not running them 🤦

@vcsjones
Copy link
Member Author

@omajid actually I think you are right, this doesn't reproduce for me on 3f26873, but does 07eab2b. I think this is a recent regression against OpenSSL 3.0. I'm going to close this for now, as this might be fixing a symptom and not a root cause. I will re-open it pending discussion on the tracking issue.

@vcsjones vcsjones closed this Mar 30, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Apr 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@vcsjones vcsjones

Labels
area-System.Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unrecognized X509VerifyStatusCode:Interop+Crypto+X509VerifyStatusCode on RHEL 9/OpenSSL 3.0
2 participants
@vcsjones @omajid