rework filter script; add DST Root CA X3 for Let's Encrypt on mbedTLS #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Useful debugging commands. Note that these aren't testing mbedTLS, so they mostly are helpful for determining what should be happening. openssl s_client -showcerts -connect site.api.espn.com:443 < /dev/null
openssl s_client --CAfile roots.pem -no-CApath -showcerts -connect site.api.espn.com:443 < /dev/null
certtool -i < roots.pem |
This was referenced Sep 11, 2023
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Let's Encrypt has two alternative certificate chains, to accommodate some older devices whose root certificate lists cannot be updated. See https://community.letsencrypt.org/t/production-chain-changes/150739, and also read what it links to.
R3intermediate cert <-ISRG Root X1(special cross-signed version) <-DST Root CA X3R3intermediate cert <-ISRG Root X1(special cross-signed version)Note that
DST Root CA X3expired in September 2021, but the default chain above still works, as explained below.The End-entity cert, the
R3cert, and theISRG Root X1cert are all supplied by the server that is using Let's Encrypt. TheISRG Root X1cert has two versions:ISRG Root X1, self-signed to be a root cert. This is the "regular" version found in cert lists used by Mozilla, etc, such as https://curl.se/docs/caextract.html. It is not what is supplied by the server. It was already indata/roots.pemin this repo. This version is listed as https://crt.sh/?id=9314791.ISRG Root X1, signed byDST Root CA X3. This version is not inroots.pem. Instead it is supplied as the last server-supplied certificate in the chains listed above. This version is listed as https://crt.sh/?id=3958242236.For most SSL/TLS implementations, the chain verifier gets to the
ISRG Root X1, and decides thatISRG Root X1represents a "trust anchor" that verifies the chain is OK. This is because the self-signed version ofISRG Root X1is in the chain verifier's local list of trusted root certs. The verifier does not bother to look forDST Root CA X3because it already has a trust anchor. The twoISRG Root X1certs do not have to match exactly.For mbedTLS, as used in ESP-IDF, this "trust anchor" mechanism does not seem to work, or at least as we are using it. Instead the actual
DST Root CA X3has to be available. I'm not sure if this is a deficiency of mbedTLS, or it is because mbedTLS doesn't know the date and time it is, or some other reason. I looked at the mbedTLS compilation flags, but found none that seem related.In any case, adding the
DST Root CA X3fixes the problem, and that is what this PR does. I found a few other references to this problem and doing the same solutionwhile websearching, but never found a fully complete explanation.In addition, this PR improves the tooling:
issuertofilter, because it's more correct.filter_certs.py--commentoption. Theroots.pemproduced is now always commented, because in general, in.pemfiles, anything that is outside the certificate delimiter lines is ignored.