Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Respect direct manipulation of X509_STORE #17

Open
ctz opened this issue May 1, 2024 · 0 comments
Open

Respect direct manipulation of X509_STORE #17

ctz opened this issue May 1, 2024 · 0 comments
Assignees
@ctz
Labels
enhancement New feature or request

Comments

@ctz
Copy link
Member

ctz commented May 1, 2024

At the moment certificate verification takes into account trusted certificates added via SSL_CTX_load_verify_file (and similar). However, it does not look at anything added by directly manipulating the X509_STORE returned from SSL_CTX_get_cert_store.

At minimum, we could extract certs and CRLs from that object each time and feed that to our verifier, at maximum we could entirely use the verifier in libcrypto (at the cost of more memory-unsafe code in the TCB).
@ctz ctz added the enhancement New feature or request label May 1, 2024
@cpu cpu mentioned this issue May 2, 2024
Merged
@ctz ctz self-assigned this May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ctz ctz

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ctz