SqueakSSL questions and problems

Hi,

I've been playing around with SqueakSSL in Squeak and Cuis recently and
found that most of the tests fail under Linux. It seems that the root of
the problem is that the example test certificate in
SqueakSSL>>#exampleCertFile is both expired (only valid from 2011->2012)
and also using cyphers no longer supported in TLS 1.3. This breaks the
tests using local connections.


I am nowhere even close to being a crypto expert so I'm asking how
should this be handled?

I believe that the certificate was supposed to be replaced every year
(or longer with longer valid dates) but don't want to do this without
some advice.

Should we just replace the old certificate with a new one with longer
validity or should there be some kind of automatic infrastructure to
generate them as appropriate? Maybe one that can be downloaded?

Another problem I found is that WebClient/SqueakSSL apparently *does not
verify* server certificates on MacOS. I don't know if this is just in
the tests or if it's for all TLS/SSL connection but it should be
clarified and/or fixed.

In addition to this, I found that some of the SqueakSSL tests ping
Google, Facebook and Yahoo urls. Changing these would be nice.

Finally, is SqueakSSL an appropriate name for a *TLS* library used on
both Squeak and Cuis? ;)

Thanks

P.S. Ordinary Squeak client to remote https servers connections work
fine on my linux machine. Wireshark shows TLS 1.3 connections.

Yah, you're right about the certificate. I actually mentioned it back in early May (about 300 years ago, amiright?) and we promptly did nothing about it.


tim
--
tim Rowledge; [hidden email]; http://www.rowledge.org/tim
Strange OpCodes: PBF: Pay Bus Fare

On 27/10/2020 19:09, tim Rowledge wrote:
> Yah, you're right about the certificate. I actually mentioned it back in early May (about 300 years ago, amiright?) and we promptly did nothing about it.

Ah. I've only come back to Squeak/Cuis a few months ago so must have
missed that. I would have saved me some digging.


Replacing the old certificate would be just a matter of putting the
ascii format version in the right method. Maybe I'll have a stab at it
if no one skilled with crypto stuff does it.

+

> Should we just replace the old certificate with a new one with longer validity or should there be some kind of automatic infrastructure to generate them as appropriate? Maybe one that can be downloaded?
>

+

> Another problem I found is that WebClient/SqueakSSL apparently *does not verify* server certificates on MacOS.

+

> I don't know if this is just in the tests or if it's for all TLS/SSL connection but it should be clarified and/or fixed.
>

++> All in all, SqueakSSL _used_to_ only verify on Windows, because it did not work anywhere else.
For Unix/openssl, I implemented Cert checking in so far that the hostname is ok, (maybe more? i cant remember),
for libressl/libtls, it should validate most things.

For Mac, things were meeeh. I even debugged into CommonCrypto and such just to find that it goes "should I verify here?" which was deeeply frustrating.

In theory, things should validate, in practice, not so much.


> In addition to this, I found that some of the SqueakSSL tests ping Google, Facebook and Yahoo urls. Changing these would be nice.

Hmm. These ones are useful and maaaybe are not down so often.
Anything we control is bound to have more downtime ¯\_(ツ)_/¯


>
> Finally, is SqueakSSL an appropriate name for a *TLS* library used on both Squeak and Cuis? ;)

History…

>
> Thanks
>
> P.S. Ordinary Squeak client to remote https servers connections work fine on my linux machine. Wireshark shows TLS 1.3 connections.

Depends on your OpenSSL library version :)

Best regards
        -Tobias

On 27/10/2020 20:00, Tobias Pape wrote:
>
>> On 27.10.2020, at 19:31, Douglas Brebner <[hidden email]> wrote:

++> All in all, SqueakSSL _used_to_ only verify on Windows, because it
did not work anywhere else.
For Unix/openssl, I implemented Cert checking in so far that the
hostname is ok, (maybe more? i cant remember), for libressl/libtls, it
should validate most things.

Ok, something to take a look at then.

> For Mac, things were meeeh. I even debugged into CommonCrypto and such just to find that it goes "should I verify here?" which was deeeply frustrating.

Ouch, so Mac users just have to keep a close eye on things then.


> In theory, things should validate, in practice, not so much.

Wonderful. Something else to investigate.


>> In addition to this, I found that some of the SqueakSSL tests ping Google, Facebook and Yahoo urls. Changing these would be nice.
>
> Hmm. These ones are useful and maaaybe are not down so often.
> Anything we control is bound to have more downtime ¯\_(ツ)_/¯

Alright. I just don't like pinging them. Especially since the tests need
fixed *anyway* due to various errors they're hiding. (The TLS connection
works but the http layer returns errors due to site changes).

>> Finally, is SqueakSSL an appropriate name for a *TLS* library used on both Squeak and Cuis? ;)
>
> History…

Yeah, I just wondered if there was any interest in changing the name or
not. I'm fine with leaving it as is.

>> P.S. Ordinary Squeak client to remote https servers connections work fine on my linux machine. Wireshark shows TLS 1.3 connections.
>
> Depends on your OpenSSL library version :)

I realised that :)
I just meant that it support the latest TLS 1.3 without needing any
changes. I was concerned that SqueakSSL would need updated for that and
that's *definitely* something I don't want to touch.

Thanks