fix validation of self-signed cert chains

The interface here is a bit weird - if the verify callback returns 1 for a certificate higher up in the chain, this will propagate to the next invocation of the callback for the next certificate, even if openssl on its own would not trust the certificate. By re-ordering the checks and keeping track of the fact that we returned 1 despite openssl failing its own validation, the validation logic should now cover all combinations of certificate count and self-signed/system trust status. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2024-12-21 13:34:10 +03:00 · 2024-03-26 09:15:02 +01:00 · 2024-03-26 09:15:02 +01:00 · 6c8c78d01a
commit 6c8c78d01a
parent dfee5e09ac
1 changed files with 10 additions and 3 deletions
--- a/src/PVE/APIClient/LWP.pm
+++ b/src/PVE/APIClient/LWP.pm
@ -415,11 +415,18 @@ sub new {
 	$ssl_opts->{'SSL_verify_callback'} = sub {
 	    my ($openssl_valid, undef, undef, undef, $cert, $depth) = @_;

-	    # we don't care about intermediate or root certificates
-	    return 1 if $depth != 0;
-
 	    return 1 if $trust_openssl && $openssl_valid;

+	    # Openssl encountered validation error, only allow validation to
+	    # pass if fingerprint is verified
+	    $trust_openssl = 0;
+
+	    # We don't care about intermediate or root certificates if we don't
+	    # trust openssl's validation result
+	    return 1 if $depth != 0;
+
+	    # We've reached the leaf certificate and the chain didn't pass
+	    # openssl's validation - let's verify the fingerprint!
 	    return verify_cert_callback($fingerprints, $cert, $verify_fingerprint_cb);
 	}
    }