Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for fingerprint alg #137

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add support for fingerprint alg #137

wants to merge 4 commits into from

Conversation

bazsi
Copy link
Member

@bazsi bazsi commented Jun 2, 2024
edited
Loading

This branch allows you to specify the fingerprint-alg() to be used for validating key fingerprints in trusted-keys()

Fixes: syslog-ng/syslog-ng#4976

bazsi added 2 commits June 2, 2024 19:19
@bazsi
tls-context: add support for setting fingerprint-alg()
ebe95b8 
Signed-off-by: Balazs Scheidler <balazs.scheidler@axoflow.com>
@bazsi
afsocket: add fingerprint-alg() option to the tls() block
7452cf8 
Signed-off-by: Balazs Scheidler <balazs.scheidler@axoflow.com>
@bazsi bazsi mentioned this pull request Jun 2, 2024
Open
alltilla
alltilla reviewed Jun 3, 2024
View reviewed changes
Copy link
Member

@alltilla alltilla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The last commit lacks the signoff part. I don't think it is a good idea if I write it for you and force push, so please add it yourself. Thanks!

The code looks good to me. We need a newsfile entry, but I can make it for you.

bazsi added 2 commits June 3, 2024 16:45
@bazsi
tls-session: validate trusted-keys() using the digest specified by fi…
7073a78 
…ngerprint-alg

Signed-off-by: Balazs Scheidler <balazs.scheidler@axoflow.com>
@bazsi
news: added news file
4cc0353 
Signed-off-by: Balazs Scheidler <balazs.scheidler@axoflow.com>
@bazsi bazsi force-pushed the add-support-for-fingerprint-alg branch from c5fc4f9 to 4cc0353 Compare June 3, 2024 14:55
@bazsi
Copy link
Member Author

bazsi commented Jun 3, 2024

I've rebased, fixed the signoff and added the news entry. btw, @MrAnno this PR now allows to trust specific keys, even if their X.509 validation fails.

The code did not support it thus far, but I think this has always been the intention. Currently, trusted-keys() will only trust keys that are otherwise trusted, which does not make much sense to me.

The documentation is not that clear on this topic either (@fekete-robert).

@bazsi bazsi mentioned this pull request Jul 16, 2024
Merged
@MrAnno
Copy link
Member

MrAnno commented Oct 12, 2024

From #136:

I was not completely right here: if the fingerprint alg is chosen well, it is suitable to replace the CA-based verification, and that can be a perfectly valid use case.

With this new implementation, we should not default to SHA1, and we should consider not letting users set a weak hash function.
To avoid any confusion, I'd remove the old option and introduce a new one, for example:

trusted-fingerprints(sha256, "aa:bb:cc", ...)

I can implement the missing parts next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alltilla alltilla alltilla left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

trusted-keys: support a secure hash algorithm
3 participants
@bazsi @MrAnno @alltilla