-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Self-signed certificate rejected with WebPKIError(CAUsedAsEndEntity) #114
Comments
Imagine we had a flag on each trust anchor indicating whether it was supposed to be a normal CA certificate or a self-signed end-entity certificate. Then on any such trust anchors, we could skip this check. I would be happy to review a PR that adds such a mechanism with appropriate tests. |
I sent a PR (#127) adding support for self-signed certificates using the mechanism proposed by @briansmith |
@briansmith Have you got any feedback, or is there anything I can do to help #127 get merged? |
wow I blocked here, what the hell, I just want a TLS tunnel with full self signed certificate... I really need to make a root and sign it for nothing ? |
One of the original ideas I had for webpki was to support self-signed certificates as described above. The idea was implement roughly what web browsers do with respect to "certificate error exceptions." However, given all the other things that need to be done, I think we have to be realistic about the prioritization of this feature. In particular, I think we should first focus on correctly implementing and verifying the correctness of the real, correct (web) PKI semantics, and de-prioritize other things. So, I'm just going to close this. Once we're past 1.0 we might reconsider. |
Also, as far as I know, most users of this webpki crate are using it through Rustls. If you look in the Rustls issue tracker, you can see a relatively recent discussion about making it possible to implement alternate certificate validation that doesn't depend on webpki, and such an alternative mechanism was implemented in Rustls. So now you can use Rustls and plug in your own certificate processing to get the semantics you need. |
We're running into this with self-signed certificates generated by LND that are accepted by OpenSSL, but not We'd like to understand the situation better so we can make LND generate certificates that work with both |
I created an issue in the |
@casey using webpki with LND was the original motivation for the PR I made which is linked above. It was never merged. LND's self-signed certs are not invalid in any way according to any spec that I'm aware of. webpki just doesn't support trusting self signed certs. You can apply the linked patch to webpki, or you can replace LND's certs with certs from a CA (and add that CA as a root for webpki if it's not an existing trusted one). The latter approach is what I ended up doing since I don't want to maintain a fork of webpki. You can also bypass webpki. For example, if using rustls, set your own certificate verifier. |
@jbg Ahhh, I see. Thank you for clarifying! |
LOL, I had the same problem also with Not sure if just bytewise comparing of the certificate is good idea but at least I don't see any way it could be insecure. If anyone has pointers I'd appreciate any advice. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This issue was closed 6 months ago. I locked the conversation here to avoid distracting people. I am open to making webpki more flexible but doing things that are just flat-out wrong and dangerous is out of scope of this project, so I'd rather not discuss such solutions here. I know this sounds harsh; not trying to be. I just want to keep discussion here focused on implementing correct certificate validation. I hope you understand. |
Hello,
I'm trying to connect to a gRPC server that provides a self-signed certificate.
However I'm getting the following error
WebPKIError(CAUsedAsEndEntity)
.If I understand correctly WebPKI wants the CA to issue an end entity certificate instead of using just the self-signed CA cert itself.
Unfortunately I don't control the server software that generates the certificate, so I was wondering if there is a way to allow a self-signed CA cert to be used as an End Entity cert?
webpki/src/verify_cert.rs
Line 234 in 0573c1e
(fwiw removing this line passes the validation of the cert and the connection happens on rustls tlsclient example)
Here is an example of the certificate used in case it helps:
Thank you
The text was updated successfully, but these errors were encountered: