Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: default s2nc should accept default s2nd cert #4670

Merged
merged 3 commits into from
Jul 30, 2024
Merged

fix: default s2nc should accept default s2nd cert #4670

merged 3 commits into from
Jul 30, 2024

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Jul 29, 2024
edited
Loading

Resolved issues:

#4660 (reply in thread)

Description of changes:

s2nd is built with a default, hard-coded certificate chain, but by default s2nc does not trust that certificate chain. This change adds the default certificate chain's CA to s2nc's default trust store.

Testing:

Running s2nc localhost 8000 against s2nd localhost 8000 now works.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Jul 29, 2024
@lrstewart lrstewart marked this pull request as ready for review July 29, 2024 17:04
WesleyRosenblum
WesleyRosenblum approved these changes Jul 29, 2024
View reviewed changes
bin/common.c Outdated Show resolved Hide resolved
bin/common.c
Comment on lines +495 to +500
if (is_localhost) {
bool match = (strcasecmp(host_name, "localhost") == 0);
match |= (strcasecmp(host_name, "127.0.0.1") == 0);
/* Some of our older test certificates use odd common names */
match |= (strcasecmp(host_name, "s2nTestServer") == 0);
return (uint8_t) match;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was added just as an additional sanity check?

Copy link
Contributor Author

@lrstewart lrstewart Jul 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I'd call it an additional sanity check. The verify_host callback has to accept the certificate. Before it was rejecting it because the common name was s2nTestServer. But I suppose you could call it a sanity check since it'd probably be just as valid to implement verify_host to accept any host name when connecting to localhost.

lrstewart and others added 2 commits July 29, 2024 16:24
@lrstewart @WesleyRosenblum
Fix comment typo
42015e5 
Co-authored-by: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com>
@lrstewart
Merge branch 'main' into fix
64b57d5
@lrstewart lrstewart enabled auto-merge (squash) July 29, 2024 23:24
@lrstewart lrstewart merged commit 2f5f8ec into aws:main Jul 30, 2024
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maddeleine maddeleine maddeleine approved these changes

@WesleyRosenblum WesleyRosenblum WesleyRosenblum approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lrstewart @WesleyRosenblum @maddeleine