Bleeding Edge - Source Code → Verifying the peer (server) certificate when using SSL connections

Verifying the peer (server) certificate when using SSL connections

This thread is opened because I've written "I think we should set SSL_verify_mode to SSL_VERIFY_PEER to verify the peer (server) certificate in the future version of POPFile (but currently I don't know how to set the CA path on Windows). So I've added TODO comments to 'Proxy/Proxy.pm' and 'Services/IMAP/Client.pm'." in the following discussion page:

http://getpopfile.org/discussion/1/484/1846#1846

* Background

The newer version of IO::Socket::SSL verifies the peer certificate by default:

http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm

SSL_verify_mode

This option sets the verification mode for the peer certificate. You may combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT (fail verification if no peer certificate exists; ignored for clients), SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). See OpenSSL man page for SSL_CTX_set_verify for more information.

The default is SSL_VERIFY_NONE for server (e.g. no check for client certificate) and SSL_VERIFY_PEER for client (check server certificate).

And we need to set 'SSL_ca_file' or 'SSL_ca_path' option to use the 'SSL_VERIFY_PEER' mode:

SSL_ca_file | SSL_ca_path

Usually you want to verify that the peer certificate has been signed by a trusted certificate authority. In this case you should use this option to specify the file (SSL_ca_file) or directory (SSL_ca_path) containing the certificate(s) of the trusted certificate authorities. If both SSL_ca_file and SSL_ca_path are undefined and not builtin defaults (see "Defaults for Cert, Key and CA".) can be used, it will try to use the system defaults used built into the OpenSSL library. If you really don't want to set a CA set this key to .

* TODO

To verify the server certificate, we need to get a valid CA cert bundle and update continuously.

** How to get CA cert bundle

Mozilla::CA Perl module (http://search.cpan.org/~abh/Mozilla-CA/) supplies 'Mozilla's CA cert bundle in PEM format'. The module is available in the PPM repository, so we can use it on Windows.

** Users can use their original CA files?

Do we need to add an option to allow users to use their original CA files?

Naoki

  • Message #1848

    ** How to get CA cert bundle

    Mozilla::CA Perl module (http://search.cpan.org/~abh/Mozilla-CA/) supplies 'Mozilla's CA cert bundle in PEM format'. The module is available in the PPM repository, so we can use it on Windows.

    Here's a patch to test Mozilla::CA module to verify the peer certificate:

    Index: Proxy/Proxy.pm
    ===================================================================
    --- Proxy/Proxy.pm	(revision 3862)
    +++ Proxy/Proxy.pm	(working copy)
    @@ -518,6 +518,7 @@
             if ( $ssl ) {
                 eval {
                     require IO::Socket::SSL;
    +                require Mozilla::CA;
                 };
                 if ( $@ ) {
                     # Cannot load IO::Socket::SSL
    @@ -535,11 +536,8 @@
                             PeerPort => $port,
                             Timeout  => $self->global_config_( 'timeout' ),
                             Domain   => AF_INET,
    -                        SSL_verify_mode => 0x0,
    -
    -                        # TODO:
    -                        #  We should set SSL_verify_mode to  SSL_VERIFY_PEER
    -                        #  to verify the peer (server) certificate.
    +                        SSL_verify_mode => 0x2,
    +                        SSL_ca_file => Mozilla::CA::SSL_ca_file(),
                 ); # PROFILE BLOCK STOP
     
             } else {
    Index: Services/IMAP/Client.pm
    ===================================================================
    --- Services/IMAP/Client.pm	(revision 3862)
    +++ Services/IMAP/Client.pm	(working copy)
    @@ -133,18 +133,15 @@
     
             if ( $use_ssl ) {
                 require IO::Socket::SSL;
    +            require Mozilla::CA;
                 $imap = IO::Socket::SSL->new (
                                     Proto    => "tcp",
                                     PeerAddr => $hostname,
                                     PeerPort => $port,
                                     Timeout  => $timeout,
                                     Domain   => AF_INET,
    -                                SSL_verify_mode => 0x0,
    -
    -                                # TODO:
    -                                #  We should set SSL_verify_mode to 
    -                                #  SSL_VERIFY_PEER to verify the peer
    -                                #  (server) certificate.
    +                                SSL_verify_mode => 0x2,
    +                                SSL_ca_file => Mozilla::CA::SSL_ca_file(),
                         )
                         or $self->log_(0, "IO::Socket::SSL error: $@");
             }
    

    I've tested it on Windows with modified version of v1.1.3.

    Naoki

    • Message #1850

      That was quick work!

      I'll try those patches out on my system. I was about to upload my new SSL updater utility but I will try these patches first.

      Brian

      • Message #1851

        I'll try those patches out on my system. I was about to upload my new SSL updater utility but I will try these patches first.

        On POPFile v1.1.3 with the older version of IO::Socket::SSL, we don't support the peer (server) verification and when applying my patch, POPFile will always verify the peer certificate.
        I thought this is a major change which would be included in the next release.

        Naoki

        • Message #1852

          I thought this is a major change which would be included in the next release.

          OK. I will leave those patches out of the SSL Updater program.

          I was able to apply your patches and use them to make POP3 and IMAP connections to Gmail. My anti-virus program's email handler initially blocked all of the verification attempts. I had to temporarily disable the anti-virus program's email scanner to let POPFile perform the verification.

          Brian

          • Message #1853

            I was able to apply your patches and use them to make POP3 and IMAP connections to Gmail. My anti-virus program's email handler initially blocked all of the verification attempts. I had to temporarily disable the anti-virus program's email scanner to let POPFile perform the verification.

            Thank you for the information.
            We'll need to write some documentation about the verification.

            Naoki