Zinc + HTTPS does not check for self signed certificates.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Zinc + HTTPS does not check for self signed certificates.

Julián Maestri-2
tl;dr
Querying an HTTPS site with a self signed certificate does not fail / raise an exception (and it should).

Long:
I'm trying to use client and server HTTPS validation with Zinc on Pharo.

I prepared: a self signed CA certificate, and server and client certificates signed by the same CA.
I set up an Apache server with a site over HTTPS requiring client authentication. This worked (had to install the client certificate on my browser to access the site).

After some failed attempts, i found this link which was very helpful and successfully managed to authenticate a ZnClient with the Apache Server.

This is the small snippet, only configuring the full path to the client certificate is enough (getting the right format for the pem file is another thing, it must have both certificate and key inside).

| result |
Transcript clear.
result := ZnClient new
  certificate: 'certs/client.pem' asFileReference asAbsolute pathString;
  logToTranscript;
  url: 'https://my-secure-site';
  get.
Transcript crShow: result.

That worked on linux, windows still fails i don't know why.

Trying to make it work on linux, i started checking without client authentication, and realized that Zinc was not complaining about the server certificate not known by a trusted CA.
I changed the server certificate with a new one, self signed to make the case simpler, and Zing still did not complain.

This is a problem, it should either fail, or let me configure it to fail when the server is not trustworthy.
I'm not sure if it's Zinc, Zodiac or the SqueakSSL plugin.

Am i doing anything wrong? Is there a configuration option which i can not find? If necessary, i can (temporarily) set up a public server with a self-signed certificate to help reproduce the case (the server i'm currently using is on a local network).



PD: Sadly for this particular project (reverse proxy) this would be a no go, i can not use Pharo :(

Reply | Threaded
Open this post in threaded view
|

Re: Zinc + HTTPS does not check for self signed certificates.

Julián Maestri-2
Forgot to mention, this was done in Pharo 6.1 (from zeroconf script). On Windows 7 and Ubuntu 16.04 (32 bit vm)

On 10 July 2018 at 20:28, Julián Maestri <[hidden email]> wrote:
tl;dr
Querying an HTTPS site with a self signed certificate does not fail / raise an exception (and it should).

Long:
I'm trying to use client and server HTTPS validation with Zinc on Pharo.

I prepared: a self signed CA certificate, and server and client certificates signed by the same CA.
I set up an Apache server with a site over HTTPS requiring client authentication. This worked (had to install the client certificate on my browser to access the site).

After some failed attempts, i found this link which was very helpful and successfully managed to authenticate a ZnClient with the Apache Server.

This is the small snippet, only configuring the full path to the client certificate is enough (getting the right format for the pem file is another thing, it must have both certificate and key inside).

| result |
Transcript clear.
result := ZnClient new
  certificate: 'certs/client.pem' asFileReference asAbsolute pathString;
  logToTranscript;
  url: 'https://my-secure-site';
  get.
Transcript crShow: result.

That worked on linux, windows still fails i don't know why.

Trying to make it work on linux, i started checking without client authentication, and realized that Zinc was not complaining about the server certificate not known by a trusted CA.
I changed the server certificate with a new one, self signed to make the case simpler, and Zing still did not complain.

This is a problem, it should either fail, or let me configure it to fail when the server is not trustworthy.
I'm not sure if it's Zinc, Zodiac or the SqueakSSL plugin.

Am i doing anything wrong? Is there a configuration option which i can not find? If necessary, i can (temporarily) set up a public server with a self-signed certificate to help reproduce the case (the server i'm currently using is on a local network).



PD: Sadly for this particular project (reverse proxy) this would be a no go, i can not use Pharo :(


Reply | Threaded
Open this post in threaded view
|

Re: Zinc + HTTPS does not check for self signed certificates.

Sven Van Caekenberghe-2
In reply to this post by Julián Maestri-2
Hi Julián,

Although we have TLS/SSL support (in the form of Zodiac, Zinc is just a user offering HTTP(S) on top), it is currently all dependent on a plugin that is different on all platforms and mostly lacks support for certificates.

It is what it is.

I know that some developers are working on these issues, but I won't / can't say more as this is all very early days.

Sven

> On 11 Jul 2018, at 01:28, Julián Maestri <[hidden email]> wrote:
>
> tl;dr
> Querying an HTTPS site with a self signed certificate does not fail / raise an exception (and it should).
>
> Long:
> I'm trying to use client and server HTTPS validation with Zinc on Pharo.
>
> I prepared: a self signed CA certificate, and server and client certificates signed by the same CA.
> I set up an Apache server with a site over HTTPS requiring client authentication. This worked (had to install the client certificate on my browser to access the site).
>
> After some failed attempts, i found this link which was very helpful and successfully managed to authenticate a ZnClient with the Apache Server.
>
> This is the small snippet, only configuring the full path to the client certificate is enough (getting the right format for the pem file is another thing, it must have both certificate and key inside).
>
> | result |
> Transcript clear.
> result := ZnClient new
>   certificate: 'certs/client.pem' asFileReference asAbsolute pathString;
>   logToTranscript;
>   url: 'https://my-secure-site';
>   get.
> Transcript crShow: result.
>
> That worked on linux, windows still fails i don't know why.
>
> Trying to make it work on linux, i started checking without client authentication, and realized that Zinc was not complaining about the server certificate not known by a trusted CA.
> I changed the server certificate with a new one, self signed to make the case simpler, and Zing still did not complain.
>
> This is a problem, it should either fail, or let me configure it to fail when the server is not trustworthy.
> I'm not sure if it's Zinc, Zodiac or the SqueakSSL plugin.
>
> Am i doing anything wrong? Is there a configuration option which i can not find? If necessary, i can (temporarily) set up a public server with a self-signed certificate to help reproduce the case (the server i'm currently using is on a local network).
>
>
>
> PD: Sadly for this particular project (reverse proxy) this would be a no go, i can not use Pharo :(
>