Cert selected from router CA bundle #1422
Comments
|
I don't see this behavior. I see the ER returning a chain of certs
Which is acceptable and expected. Inspecting the environment that you gave me the ip/port to, I see the same results. In your environment, I do see the following:
I expected something that sounded like a root signing 1, but it may be a naming issue. If spurious intermediate is an intermediate, I would also expect it in the chain returned by the ER, and this is most likely a configuration issue with/ the PKI that used to work on older versions but doesn't work on newer versions. Specifically, the C SDK swapped to OpenSSL, which requires a path to a root. Previously, the implementation didn't. |
|
After debugging the exact instance referenced by @gberl002, it turns out that the chain assembly logic is pulling leafs from the CA bundle. This is a two part fix.
|
fixes openziti/ziti#1422 server cert chain assembly
Observed behavior
When using openssl to connect to a router with additional certs defined in the ca bundle, certs are returned from the ca bundle instead of the server cert field.
Expected behavior
Only certs defined in the identity.server_cert entry should be returned
Steps to reproduce
openssl s_client -connect localhost:1282 -servername 150.136.141.199(assuming the cert contains a SANS entry for 150.136.141.199)Note This issue was discovered while upgrading from
v0.26.5tov0.30.3. After testing a few different versions, this issue begins presenting onv0.27.0and later. Upgrading fromv0.26.5up to and includingv0.26.11all function as expected. The breaking change seems to be inv0.27.0specifically.The text was updated successfully, but these errors were encountered: