Bug 726256 – allow pinning to a particular SSL certificate

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 726256 - allow pinning to a particular SSL certificate


Summary:	allow pinning to a particular SSL certificate


Status:	RESOLVED FIXED

Product:	ostree
Classification:	Infrastructure
Component:	general
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	OSTree maintainer(s)
QA Contact:	OSTree maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-03-13 16:12 UTC by Colin Walters
Modified:	2014-07-01 16:41 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
[WIP] Add tls-ca-path (3.34 KB, patch) 2014-06-26 23:40 UTC, Colin Walters	none	Details \| Review
core: add "tls-ca-path" option (3.76 KB, patch) 2014-06-27 14:41 UTC, Colin Walters	committed	Details \| Review
pull: Only set ca path if we actually have a setting for it (1.23 KB, patch) 2014-07-01 12:54 UTC, Colin Walters	committed	Details \| Review

Description Colin Walters 2014-03-13 16:12:57 UTC

For Red Hat, we'd like to require clients verify that updates from the Red Hat CA, not just any CA on the system.

Comment 1 Colin Walters 2014-06-26 23:40:08 UTC

Created attachment 279351 [details] [review]
[WIP] Add tls-ca-path

Untested.

Comment 2 Colin Walters 2014-06-27 14:41:08 UTC

Created attachment 279407 [details] [review]
core: add "tls-ca-path" option

Some organizations will want to use private Certificate Authorities to
serve content to their clients.  While it's possible to add the CA
to the system-wide CA store, that has two drawbacks:

1) Compromise of that cert means it can be used for other web traffic
2) All of ca-certificates is trusted

This patch allows a much stronger scenario where *only* the CAs in
tls-ca-path are used for verification from the given repository.

Comment 3 Dan Winship 2014-06-27 15:01:08 UTC

Review of attachment 279407 [details] [review]:

::: src/libostree/ostree-fetcher.c
@@ +242,3 @@
+  g_object_set ((GObject*)self->session, "ssl-use-system-ca-file", use_system, NULL);
+  if (db)
+    g_object_set ((GObject*)self->session, "tls-database", db, NULL);

setting tls-database to something other than the default db automatically sets ssl-use-system-ca-file false, so you could instead just do

  if (db)
    g_object_set ((GObject*)self->session, "tls-database", db, NULL);
  else
    g_object_set ((GObject*)self->session, "ssl-use-system-ca-file", TRUE);

but either way, looks right

Comment 4 Colin Walters 2014-06-27 19:49:16 UTC

Updated to use suggested code, thanks!

Comment 5 Colin Walters 2014-07-01 12:54:10 UTC

Created attachment 279674 [details] [review]
pull: Only set ca path if we actually have a setting for it

Otherwise, GTlsFileDatabase ends up accepting NULL for anchors, and
then we don't trust any CAs at all.

Comment 6 Colin Walters 2014-07-01 12:55:33 UTC

Reopened for regression.

Comment 7 Colin Walters 2014-07-01 16:41:38 UTC

Got review by James on IRC.

Attachment 279674 [details] pushed as 772409e - pull: Only set ca path if we actually have a setting for it