[eval] Fix ssl cert verification failures on clean windows environments#11838
Merged
Simn merged 10 commits intoHaxeFoundation:developmentfrom Nov 25, 2024
Merged
Conversation
Warning C6387 'parameters' could be '0': this does not adhere to the specification for the function 'CertGetCertificateChain'. Warning C6387 'policy_parameters' could be '0': this does not adhere to the specification for the function 'CertVerifyCertificateChainPolicy'. This also fixes an "incorrect parameter" runtime error.
We need to do this every time, because if any callback call returns a non zero flags then the entire verification fails, see: https://github.com/Mbed-TLS/mbedtls/blob/3aefa5b705846c5d4466ae8747160ae9e5054ea8/library/x509_crt.c#L3031 We don't need to loop through the chain, since mbedtls already loops through and calls the callback on every certificate in the chain.
This avoids duplicate certificates in the store
The windows api functions won't check this automatically for us without further modifications, so it's easiest to just respect mbedtls' judgement and propagate this error.
Member
|
Thanks a lot guys! |
This was referenced Dec 5, 2024
kLabz
pushed a commit
that referenced
this pull request
Mar 6, 2025
…ts (#11838) * Use windows api to verify ssl certs Taken from: Apprentice-Alchemist/hashlink@4d59012 * Handle error if cert store fails to open * Fix mscv warnings about invalid arguments Warning C6387 'parameters' could be '0': this does not adhere to the specification for the function 'CertGetCertificateChain'. Warning C6387 'policy_parameters' could be '0': this does not adhere to the specification for the function 'CertVerifyCertificateChainPolicy'. This also fixes an "incorrect parameter" runtime error. * Clear errors if certificate loading succeeded * Perform checks for all calls of verify_callback We need to do this every time, because if any callback call returns a non zero flags then the entire verification fails, see: https://github.com/Mbed-TLS/mbedtls/blob/3aefa5b705846c5d4466ae8747160ae9e5054ea8/library/x509_crt.c#L3031 We don't need to loop through the chain, since mbedtls already loops through and calls the callback on every certificate in the chain. * Free handles on certificate verification errors * Replace existing certificates if they exist This avoids duplicate certificates in the store * Propagate CN_MISMATCH ssl cert error The windows api functions won't check this automatically for us without further modifications, so it's easiest to just respect mbedtls' judgement and propagate this error. * Clarify comment regarding error mapping * Skip verification callback if no errors were found
kLabz
pushed a commit
that referenced
this pull request
Mar 7, 2025
…ts (#11838) * Use windows api to verify ssl certs Taken from: Apprentice-Alchemist/hashlink@4d59012 * Handle error if cert store fails to open * Fix mscv warnings about invalid arguments Warning C6387 'parameters' could be '0': this does not adhere to the specification for the function 'CertGetCertificateChain'. Warning C6387 'policy_parameters' could be '0': this does not adhere to the specification for the function 'CertVerifyCertificateChainPolicy'. This also fixes an "incorrect parameter" runtime error. * Clear errors if certificate loading succeeded * Perform checks for all calls of verify_callback We need to do this every time, because if any callback call returns a non zero flags then the entire verification fails, see: https://github.com/Mbed-TLS/mbedtls/blob/3aefa5b705846c5d4466ae8747160ae9e5054ea8/library/x509_crt.c#L3031 We don't need to loop through the chain, since mbedtls already loops through and calls the callback on every certificate in the chain. * Free handles on certificate verification errors * Replace existing certificates if they exist This avoids duplicate certificates in the store * Propagate CN_MISMATCH ssl cert error The windows api functions won't check this automatically for us without further modifications, so it's easiest to just respect mbedtls' judgement and propagate this error. * Clarify comment regarding error mapping * Skip verification callback if no errors were found
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This uses an mbedtls callback to call some windows api functions if verification fails, which avoids certain failures in clean windows environments.
For example, this allows running haxelib via eval in a clean windows environment without the certificate verification failing.
Thanks to @Apprentice-Alchemist and @Aidan63 for their help in solving/debugging the problem!