After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 726256 - allow pinning to a particular SSL certificate
allow pinning to a particular SSL certificate
Status: RESOLVED FIXED
Product: ostree
Classification: Infrastructure
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: OSTree maintainer(s)
OSTree maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2014-03-13 16:12 UTC by Colin Walters
Modified: 2014-07-01 16:41 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
[WIP] Add tls-ca-path (3.34 KB, patch)
2014-06-26 23:40 UTC, Colin Walters
none Details | Review
core: add "tls-ca-path" option (3.76 KB, patch)
2014-06-27 14:41 UTC, Colin Walters
committed Details | Review
pull: Only set ca path if we actually have a setting for it (1.23 KB, patch)
2014-07-01 12:54 UTC, Colin Walters
committed Details | Review

Description Colin Walters 2014-03-13 16:12:57 UTC
For Red Hat, we'd like to require clients verify that updates from the Red Hat CA, not just any CA on the system.
Comment 1 Colin Walters 2014-06-26 23:40:08 UTC
Created attachment 279351 [details] [review]
[WIP] Add tls-ca-path

Untested.
Comment 2 Colin Walters 2014-06-27 14:41:08 UTC
Created attachment 279407 [details] [review]
core: add "tls-ca-path" option

Some organizations will want to use private Certificate Authorities to
serve content to their clients.  While it's possible to add the CA
to the system-wide CA store, that has two drawbacks:

1) Compromise of that cert means it can be used for other web traffic
2) All of ca-certificates is trusted

This patch allows a much stronger scenario where *only* the CAs in
tls-ca-path are used for verification from the given repository.
Comment 3 Dan Winship 2014-06-27 15:01:08 UTC
Review of attachment 279407 [details] [review]:

::: src/libostree/ostree-fetcher.c
@@ +242,3 @@
+  g_object_set ((GObject*)self->session, "ssl-use-system-ca-file", use_system, NULL);
+  if (db)
+    g_object_set ((GObject*)self->session, "tls-database", db, NULL);

setting tls-database to something other than the default db automatically sets ssl-use-system-ca-file false, so you could instead just do

  if (db)
    g_object_set ((GObject*)self->session, "tls-database", db, NULL);
  else
    g_object_set ((GObject*)self->session, "ssl-use-system-ca-file", TRUE);

but either way, looks right
Comment 4 Colin Walters 2014-06-27 19:49:16 UTC
Updated to use suggested code, thanks!
Comment 5 Colin Walters 2014-07-01 12:54:10 UTC
Created attachment 279674 [details] [review]
pull: Only set ca path if we actually have a setting for it

Otherwise, GTlsFileDatabase ends up accepting NULL for anchors, and
then we don't trust any CAs at all.
Comment 6 Colin Walters 2014-07-01 12:55:33 UTC
Reopened for regression.
Comment 7 Colin Walters 2014-07-01 16:41:38 UTC
Got review by James on IRC.

Attachment 279674 [details] pushed as 772409e - pull: Only set ca path if we actually have a setting for it