SSL Directory Hash

SSL implementations may support either a list of certificates in a file, a directory full of certificates, or both. Either method can have problems.

Probably a file that contains certificates is more common, though a directory could also be supported depending on what calls the software makes, and how a vendor has setup certificates on a system.

Defaults

If the files or directory is unknown, process tracing may show what is going on. Or you can dig through the source code. The following assumes OpenBSD 7.3.

    $ printf 'GET / HTTP/1.0\r\n\r\n' | ktrace nc -c thrig.me 443 >/dev/null
    $ kdump | grep NAMI | grep ssl
      3080 nc       NAMI  "/usr/lib/libssl.so.53.2"
      3080 nc       NAMI  "/etc/ssl/cert.pem"
      3080 nc       NAMI  "/etc/ssl/cert.pem"

So nc(1) only looks at /etc/ssl/cert.pem and not a directory of certificates. By way of contrast the Net::Gemini code does look at /etc/ssl for something:

    $ ktrace gmitool get gemini://thrig.me >/dev/null
    $ kdump | grep NAMI | grep ssl
     38804 perl     NAMI  "/usr/lib/libssl.so.53.2"
     38804 perl     NAMI  "/etc/ssl"
     38804 perl     NAMI  "/etc/ssl/certs"
     38804 perl     NAMI  "/etc/ssl/cert.pem"
     38804 perl     NAMI  "/etc/ssl/cert.pem"

Hashing

A detail that might be overlooked is that the certificates in a directory may need to be hashed. Also there can only be one certificate per file. And of course the software must use some call to load certificates from a directory. And other caveats.

A functional example would be to take the certificate for this capsule, hash it into a directory, and to write code that trusts only certificates in that directory.

=> thrig.pem

    $ mkdir ca
    $ cp thrig.pem ca
    $ cd ca
    $ ln -s thrig.pem `openssl x509 -noout -hash -in thrig.pem`.0
    $ cd ..

The hashing code needs to be a bit more complicated than this, see the fine manual or other such example code. In particular the suffix may vary when there are multiple certificates in a directory.

And now some test code:

=> hash.pl

    $ ktrace perl hash.pl
    20
    $ kdump | fgrep ./ca/
     43981 perl     NAMI  "./ca/ed7ac070.0"
     43981 perl     NAMI  "./ca/ed7ac070.0"
     43981 perl     NAMI  "./ca/ed7ac070.1"

And another test to confirm that verification fails after the link is removed:

    $ rm ca/ed*
    $ perl hash.pl
    nope: ,SSL connect attempt failed error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed

See Also

=> http://man.openbsd.org/man3/SSL_CTX_load_verify_locations.3 | http://man.openbsd.org/man3/tls_config_set_ca_path.3 | https://metacpan.org/pod/Net::Gemini

=> index.gmi

Proxy Information
Original URL
gemini://thrig.me/tech/ssl/hashdir.gmi
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
1025.427486 milliseconds
Gemini-to-HTML Time
1.140466 milliseconds

This content has been proxied by September (ba2dc).