Set `crl_check` to `best_effort` #38

tanguilp · 2024-02-06T20:17:39Z

I'm proposing this PR after coming across mds.fidoalliance.org:443's certificate which doesn't contain a CRL. It recently switched to OCSP as far as I can see:

Using true for crl_check, validation fails. We don't have OCSP implemented yet in BEAM, but still I think we need to let these chain validate. What do you think?

The issue with the current recommendation is that a configured HTTP client can fail when certificate is updated to OCSP-only (which recently happened with wax).

tanguilp · 2024-08-13T12:38:23Z

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:09:2c:f0:6e:b6:16:a9:78:92:78:05:bc:ff:75:d2:c4:18
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=Let's Encrypt, CN=E1
        Validity
            Not Before: Jan 18 05:47:57 2024 GMT
            Not After : Apr 17 05:47:56 2024 GMT
        Subject: CN=fidoalliance.org
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:75:19:f6:f1:28:8c:1e:f1:e2:30:33:26:dd:ff:
                    b6:ed:0c:e0:2d:e9:c1:7b:39:3d:75:cb:81:7a:50:
                    12:3f:09:8a:c6:5b:5b:46:1f:e6:dd:b6:da:ee:20:
                    3d:8e:84:31:32:24:9a:07:0b:42:dd:33:a9:b3:4a:
                    a5:df:1d:b0:99
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                68:26:2C:21:ED:26:F8:FF:10:70:65:DE:3D:9B:DA:01:FB:2C:BD:C0
            X509v3 Authority Key Identifier: 
                keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC

            Authority Information Access: 
                OCSP - URI:http://e1.o.lencr.org
                CA Issuers - URI:http://e1.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:*.fidoalliance.org, DNS:*.ondemand.certinfra.fidoalliance.org, DNS:fidoalliance.org
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
                                1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
                    Timestamp : Jan 18 06:47:58.086 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:A3:B6:0D:61:9E:43:83:B6:5E:AF:73:
                                04:9C:3A:EC:9A:B4:46:62:B5:C8:93:B2:29:0B:97:B3:
                                F2:F8:24:51:9B:02:20:47:DF:EF:B9:E8:78:09:25:4E:
                                A4:AB:94:61:04:18:C5:93:37:28:67:8C:E1:A1:F3:FD:
                                6F:3B:B0:9B:7B:10:72
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:
                                67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
                    Timestamp : Jan 18 06:47:58.123 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:6D:14:BC:CE:E5:56:51:29:4E:6D:62:64:
                                16:D0:04:1E:98:EB:26:AA:6E:98:5E:40:42:9B:FE:64:
                                2F:0E:A4:F9:02:20:09:CE:42:AC:EF:BD:9D:52:14:B4:
                                7B:56:F1:83:10:C5:2D:7A:26:47:42:C8:CC:B6:88:EA:
                                85:15:3E:B4:B0:BB
    Signature Algorithm: ecdsa-with-SHA384
         30:65:02:31:00:ef:fc:9f:eb:b3:45:6c:71:dc:e9:64:57:ea:
         39:82:b8:0c:26:d6:d8:70:fc:3a:92:6a:8a:37:11:e5:68:a3:
         04:4d:18:48:cf:45:6a:93:e0:85:ce:d9:9d:90:85:bf:8e:02:
         30:3a:20:1e:7a:76:2e:97:02:d9:e5:77:a1:09:6a:9b:42:78:
         6f:5b:62:eb:fd:c4:8f:c7:10:85:05:ef:59:7d:ef:4c:83:08:
         f2:75:7e:92:44:3e:6a:05:e9:83:bb:5f:0a

Update doc wr to crl_check and use of best_effort instead of true

b8e9348

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Set `crl_check` to `best_effort` #38

Set `crl_check` to `best_effort` #38

tanguilp commented Feb 6, 2024

tanguilp commented Aug 13, 2024

Set crl_check to best_effort #38

Are you sure you want to change the base?

Set crl_check to best_effort #38

Conversation

tanguilp commented Feb 6, 2024

tanguilp commented Aug 13, 2024

Set `crl_check` to `best_effort` #38

Set `crl_check` to `best_effort` #38