Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect detection of OpenSSL-specific TLS certificate files on NixOS #24

Closed
wentasah opened this issue Sep 4, 2022 · 5 comments · Fixed by #25
Closed

Incorrect detection of OpenSSL-specific TLS certificate files on NixOS #24

wentasah opened this issue Sep 4, 2022 · 5 comments · Fixed by #25

Comments

@wentasah
Copy link

wentasah commented Sep 4, 2022

Julia on the NixOS distribution complains about "NetworkOptions could only find OpenSSL-specific TLS certificate files which cannot be used by MbedTLS", which seems to be incorrect.

NixOS provides /etc/ssl/certs/ca-bundle.crt, which contains both certificate variants: -----BEGIN CERTIFICATE----- as well as -----BEGIN TRUSTED CERTIFICATE-----. An excerpt from the file is shown below.

It seems MbedTLS understands this file, which can be confirmed with the following code:

julia> using NetworkOptions
julia> ENV["JULIA_SSL_CA_ROOTS_PATH"] = "/etc/ssl/certs/ca-bundle.crt"
julia> download("https://google.com")
...
julia> ca_roots()
"/etc/ssl/certs/ca-bundle.crt"

Without setting the environment variable, the warning is printed and ca_roots() returns the bundled_ca_roots():

julia> using NetworkOptions
julia> download("https://google.com")
Warning: ...
julia> ca_roots()
"/nix/store/kwizqkjrky766m6vqcxs5qjvjxf5qjji-julia-bin-1.8.0/share/julia/cert.pem"

I suppose, that the warning should be shown only when the number of BEGIN CERTIFICATE lines is zero and not if the number of BEGIN TRUSTED CERTIFICATE lines is greater than zero.

Excerpt from /etc/ssl/certs/ca-bundle.crt on NixOS:

Amazon Root CA 3
-----BEGIN CERTIFICATE-----
MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl
ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j
QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr
ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr
BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM
YyRIHN8wfdVoOw==
-----END CERTIFICATE-----

Trusted for:
  - 1.3.6.1.5.5.7.3.1 (RFC5280: serverAuth key usage)
  - 1.3.6.1.5.5.7.3.4 (RFC5280: emailProtection key usage)
-----BEGIN TRUSTED CERTIFICATE-----
MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl
ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j
QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr
ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr
BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM
YyRIHN8wfdVoOzAWMBQGCCsGAQUFBwMBBggrBgEFBQcDBA==
-----END TRUSTED CERTIFICATE-----
@wentasah wentasah mentioned this issue Sep 4, 2022
Merged
13 tasks
@StefanKarpinski
Copy link
Member

Thanks for the report and analysis. I'll see if I can fix the logic here.

StefanKarpinski added a commit that referenced this issue Sep 20, 2022
@StefanKarpinski
ca_roots: use files mixing regular and OpenSSL-only certs
4490e26 
Fix #24. PR #18
changed the logic for searching for CA root cert files to skip files
containing OpenSSL-only "BEGIN TRUSTED CERTIFICATE" certificates since
MbedTLS cannot use these certificates. This was a bit too aggressive:
regular certs and OpenSSL-only certs can coexist in the same file, so we
should use any file that has some regular cert in it, even if it also
has OpenSSL-only certs. We should only emit a warning if we (1) found no
files with regular certs and (2) found files with OpenSSL-only certs.
@StefanKarpinski StefanKarpinski mentioned this issue Sep 20, 2022
Merged
StefanKarpinski added a commit that referenced this issue Sep 21, 2022
@StefanKarpinski
ca_roots: use files mixing regular and OpenSSL-only certs (#25)
8ce1e10 
Fix #24. PR #18
changed the logic for searching for CA root cert files to skip files
containing OpenSSL-only "BEGIN TRUSTED CERTIFICATE" certificates since
MbedTLS cannot use these certificates. This was a bit too aggressive:
regular certs and OpenSSL-only certs can coexist in the same file, so we
should use any file that has some regular cert in it, even if it also
has OpenSSL-only certs. We should only emit a warning if we (1) found no
files with regular certs and (2) found files with OpenSSL-only certs.
@rfourquet
Copy link
Member

Is there a simple way to silence this warning on julia 1.8?

@wentasah
Copy link
Author

I don't think so.

@StefanKarpinski
Copy link
Member

The change that fixed this could be backported to 1.8 since it's arguably a bugfix.

@ulysses4ever
Copy link

It'd be truly amazing to have it backported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ca_roots: use files mixing regular and OpenSSL-only certs JuliaLang/NetworkOptions.jl
4 participants
@wentasah @StefanKarpinski @ulysses4ever @rfourquet