Replies: 2 comments
-
|
You only have one self-signed certificate, which is part of the certificate store, and can't be used on its own, right? I've confirmed this behavior: it is indeed not possible. In my opinion, this appears to be a bug caused by the statement found here. I'm currently updating some aspects of the X.509 build path logic in #5047. I will also address your problem in this PR 👍 Until the pull request is merged, unfortunately, you'll have to continue using your custom callback, I guess... |
Beta Was this translation helpful? Give feedback.
-
|
Correct. As a work around I added this: void Callbacks::tls_verify_cert_chain(
const std::vector<Botan::X509_Certificate> &cert_chain,
const std::vector<std::optional<Botan::OCSP::Response>> &ocsp_responses,
const std::vector<Botan::Certificate_Store *> &trusted_roots,
Botan::Usage_Type usage, std::string_view hostname,
const Botan::TLS::Policy &policy) {
// Botan will not accept any self-signed cert
if (cert_chain.size() == 1 && cert_chain[0].is_self_signed()) {
const auto &cert = cert_chain[0];
for (auto *store : trusted_roots) {
const auto found =
store->find_cert(cert.subject_dn(), cert.subject_key_id());
if (found.has_value()) {
return;
}
}
}
Botan::TLS::Callbacks::tls_verify_cert_chain(
cert_chain, ocsp_responses, trusted_roots, usage, hostname, policy);
}This allows self-signed certs, as long as they are in trusted cert store (but does not check for things like expiration, or other things) |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
It looks like Botan TLS client rejects certificates that are self-signed and a root of CA chain, despite it being trusted (i.e. added to proper directories on Linux). This is different than OpenSSL afaik.
I have a bit of code in callbacks to allow them (chain size == 0 and is_signed() and lookup for it in cert store succeeds), but maybe there is better way?
Beta Was this translation helpful? Give feedback.
All reactions