Re: TOFU/cert pinning in libtls
Hi Lucas, Lucas wrote on Sat, May 09, 2020 at 06:18:50PM +: > I experimented with cert FP pinning in the past, too. tls_peer_cert_hash > is probably what you're looking for. Found it looking at > /usr/include/tls.h. Then tried to find it referenced in other manpages, > > oolong$ man -k Xr=tls_peer_cert_hash > nc(1) - arbitrary TCP and UDP connections and listens > > That's far from ideal IMO, While -k Xr= is occasionally useful, you should be aware that it does a substring search, so it only finds manual pages that explicitly reference tls_peer_cert_hash(3), but not manual pages that reference the same page under the more usual name tls_conn_version(3) or under other names like tls_peer_cert_notafter(3). For example, as tedu@ pointed out: $ man -k Xr=tls_conn_version | sed 's/,.*//' tls_config_verify tls_init tls_ocsp_process_response tls_read It would be theoretically possible to do this: * When searching for "Xr", treat that as a special case as follows: * First search for all pages having the Xr expression in their name rather than in an Xr macro. * Build a list of names from that, possibly including multiple names even when only a single page exists. * Search for Xr macros containing each of the names in turn and show all matching pages. Then again, it would be quite ugly to implement that. Doing such a multi-step search also wouldn't be fast but might take quite some time. And finally, while in this case, it's clearly what you would want, in other cases, users might wish to only search for one specific substring as we currently do, so your proposed behaviour would result in false positives from their point of view. Also, the current behaviour is much easier to explain in the apropos(1) manual page, which currently just needs to say Operator = evaluates a substring, while ~ evaluates a case-sensitive extended regular expression. without having to explain a special case for Xr. > but I don't know where, of the many tls_* > manpages, would I reference it. It is actually already referenced from at least four places in four different tls*(3) pages. Also, this is Unix, you can use pipes: $ man -k Nm=tls_peer_cert_hash | \ sed 's/(.*//; s/,//g; s/\
Re: TOFU/cert pinning in libtls
On 2020-05-09, Bob Beck wrote: > > oolong$ man -k Xr=tls_peer_cert_hash > > nc(1) - arbitrary TCP and UDP connections and listens > > > > That's far from ideal IMO, but I don't know where, of the many tls_* > > manpages, would I reference it. > > man tls_peer_cert_hash > > happily brings up the man page on my machines. For reference, the relevant quote from tls_init: The properties of established TLS connections can be inspected with the functions described in tls_conn_version(3) and tls_ocsp_process_response(3). It's just one line and may be easy to pass over, but it is there.
Re: TOFU/cert pinning in libtls
On Sat, May 09, 2020 at 06:18:50PM +, Lucas wrote: > Hello Stephen, > > > My basic idea for the client is: > > > > - load a db of self-signed certs. > > - connect to host > > - if host cert is self signed > > - if not in db, prompt user and add to db > > - if in db, check fingerprint and warn user if they don't match. > > > > Browsing the manuals/source code, there doesn't seem to be an easy way > > to configure this. I don't want to have to use the OpenSSL API for this > > :(. > > I experimented with cert FP pinning in the past, too. tls_peer_cert_hash > is probably what you're looking for. Found it looking at > /usr/include/tls.h. Then tried to find it referenced in other manpages, > > oolong$ man -k Xr=tls_peer_cert_hash > nc(1) - arbitrary TCP and UDP connections and listens > > That's far from ideal IMO, but I don't know where, of the many tls_* > manpages, would I reference it. man tls_peer_cert_hash happily brings up the man page on my machines.
Re: TOFU/cert pinning in libtls
Hello Stephen, > My basic idea for the client is: > > - load a db of self-signed certs. > - connect to host > - if host cert is self signed > - if not in db, prompt user and add to db > - if in db, check fingerprint and warn user if they don't match. > > Browsing the manuals/source code, there doesn't seem to be an easy way > to configure this. I don't want to have to use the OpenSSL API for this > :(. I experimented with cert FP pinning in the past, too. tls_peer_cert_hash is probably what you're looking for. Found it looking at /usr/include/tls.h. Then tried to find it referenced in other manpages, oolong$ man -k Xr=tls_peer_cert_hash nc(1) - arbitrary TCP and UDP connections and listens That's far from ideal IMO, but I don't know where, of the many tls_* manpages, would I reference it. HTH, -Lucas