DST Root CA X3 expiration update
Posted 2021-08-29 11:47:43.370644
A few things have happened since my previous post:
- Patches were released for Erlang/OTP 23.3 and 24
- Production certificates issued by Let’s Encrypt now have a validity that allows for realistic testing
- I have had some more time to verify the impact on different clients
This post corrects a few statements I made in the original post, in particular regarding the impact on Hackney: if you are a Hackney (or HTTPoison, or Tesla-with-Hackney) user you’ll find some good news further below.
I won’t cover the background again in this post, so please refer to the original post to learn more about how the DST Root CA X3 expiration on September 30th may impact BEAM TLS clients that connect to servers with Let’s Encrypt certificates.
Patch packages
The Erlang/OTP team have improved the handling of alternate certificate chains and released the following patch packages:
- OTP 23.3.4.5, with ssl-10.3.1.2 and public_key-1.10.0.1
- OTP 24.0.4, with ssl-10.4.2 and public_key-1.11.1
If you are on OTP 23.3 or 24.0 I would strongly recommend you upgrade to a patched version before the end of September. Older versions are not impacted in the same way, so no patch is available. However, those versions may still experience issues after September: keep reading for details.
Note that the new logic makes the partial_chain
hook used by many TLS clients superfluous in most cases: shorter chains are now recognized and selected by the built-in certificate chain verification logic.
Erlang/OTP impact of DST Root CA X3 expiration
Posted 2021-05-18 15:10:47.161830
Update: please check out this post for updates, especially regarding the impact on Hackney!
On September 30 2021, the root CA certificate DST Root CA X3 will expire. This should not have a noticeable impact on the Internet at large, as any recently issued server certificate will have been issued with a different trust chain that’s rooted in a newer root CA.
Let’s Encrypt has relied on the DST Root CA X3 to bootstrap its services, while in parallel working to get its own root CA (ISRG Root X1) included in all OS and browser trust stores. Now that the old root is reaching its end-of-life, it is time for Let’s Encrypt to stand on its own. However, there are still devices and applications out there that do not include Let’s Encrypt’s new root CA, in particular older Android devices. So Let’s Encrypt have arranged for a fall-back solution that will work with those older devices, and it involves an ‘alternate chain’ with a ‘cross-signed’ intermediate CA.
Unfortunately Erlang/OTP applications are likely to experience TLS handshake errors when trying to connect to servers that present the longer chain. Let’s have a closer look at what is likely to happen over the next few months, and why.
Continue reading...Erlang/OTP ssl-10.2 vulnerability explained
Posted 2021-02-14 11:55:43.909512
Erlang/OTP 23.2.2 was released about a month ago, fixing a severe certificate verification vulnerability. If you are still using OTP 23.2 or 23.2.1, please upgrade now.
In this post I will demonstrate how the vulnerability can be exploited, and I will examine the root cause. But let’s start with a quick demo…
Quick demo
Since you should no longer have a vulnerable Erlang/OTP version installed, we’ll be spinning up a Docker container of Erlang/OTP 23.2.1 for our experiments. We’re going to need a CA trust store, so we’ll install the ca-certificates
package before starting an Erlang shell:
$ docker run -it --rm hexpm/erlang:23.2.1-ubuntu-focal-20201008
root@40ccfb8c5f05:/# apt-get update && apt-get install ca-certificates -y
[...snip...]
done.
root@40ccfb8c5f05:/# erl
Erlang/OTP 23 [erts-11.1.5] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [hipe]
Eshell V11.1.5 (abort with ^G)
1>
Now let’s connect to a test server with a fake certificate, specifying the “DigiCert Global Root CA” as the trusted root:
1> ssl:start().
ok
2> ssl:connect("demo.voltone.net", 443, [{verify, verify_peer}, {cacertfile, "/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt"}]).
{ok,{sslsocket,{gen_tcp,#Port<0.7>,tls_connection,undefined},
[<0.114.0>,<0.113.0>]}}
3>
That seems to work, but if you try connecting to https://demo.voltone.net/ with a browser you’ll notice that the server’s certificate was not signed by DigiCert at all. Unaffected OTP versions (23.1 or earlier, 23.2.2 or later) also abort the TLS handshake:
2> ssl:connect("demo.voltone.net", 443, [{verify, verify_peer}, {cacertfile, "/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt"}]).
{error,{tls_alert,{bad_certificate,"TLS client: In state wait_cert_cr at ssl_handshake.erl:1874 generated CLIENT ALERT: Fatal - Bad Certificate\n"}}}
It is time to dig a little deeper…
Continue reading...Older posts
- Certificate verification vulnerability in Erlang/OTP 23.2 (Posted 2021-01-15 12:06:59.472819)
- Off BEAM: Secure Coding for the BEAM (Posted 2020-05-04 07:26:41.557621)
- Why Mix no longer installs from HTTP(S) URLs (Posted 2020-01-01 20:02:12.309037)
- Creating an SBoM for Mix projects (Posted 2019-10-24 19:44:48.169213)
- Learn you some `:ssl` for much security (Posted 2019-04-09 12:43:35.136065)
- Hex package registry vulnerability (Posted 2019-01-29 14:13:52.780049)
- OCSP stapling for Erlang/OTP (Posted 2018-07-11 18:42:50.698413)
- PSA: retiring TLS test domains (Posted 2018-07-11 07:30:04.473948)
- Dual cert RSA/ECDSA server with Erlang/OTP 21 (Posted 2018-07-03 18:55:58.000000)
- Erlang/OTP 21 (Posted 2018-06-23 08:36:19.000000)
- Erlang/OTP 20.3 (Posted 2018-03-14 19:00:53.000000)
- CipherSuites package updated (Posted 2018-03-12 20:16:18.000000)
- Practical security for Elixir/Phoenix (Posted 2018-01-05 08:35:18.000000)
- Security training at ElixirConf EU 2018 (Posted 2017-11-02 20:48:35.000000)
- Unauthorized Erlang? (Posted 2017-04-15 08:26:16.000000)
- Hostname verification with Erlang/OTP 19.3 (Posted 2017-03-17 06:35:40.000000)
- Plug vulnerabilities: impact assessment (Posted 2017-03-01 13:16:28.000000)
- Catching up (Posted 2017-02-27 09:28:27.000000)
- The great HTTPS client shoot-out (Posted 2016-11-05 08:03:50.000000)
- "aRSA+ECDH+AES:@STRENGTH" FTW (Posted 2016-07-05 17:30:20.000000)
- Thou shalt not trust thy neighbour's password (Posted 2016-06-24 19:20:05.000000)
- Who wants cookies? (Posted 2016-06-13 19:35:52.000000)
- Erlang/OTP 19.0 (Posted 2016-06-06 19:02:02.000000)
- ElixirConf.EU talk: video (Posted 2016-06-01 18:52:50.000000)