Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using --certinfo_ca_file with a self-signed certificate authority leads to not trusted certificate error #678

Closed
AlexDanDuna opened this issue Nov 22, 2024 · 1 comment
Closed

Using --certinfo_ca_file with a self-signed certificate authority leads to not trusted certificate error #678

AlexDanDuna opened this issue Nov 22, 2024 · 1 comment

Comments

@AlexDanDuna
Copy link

AlexDanDuna commented Nov 22, 2024
edited
Loading

Describe the bug
I have a server set up to use a certificate signed by a self-signed certificate authority. When trying to run SSLyze --certinfo targeting that server (specified using its host name from the command line, but also tried with localhost since I'm running the tool from the device hosting the server) and passing the self-signed certificate to --certinfo_ca_file, I get
'ERROR - Could not build verified chain (certificate untrusted?)' errors, along with
'FAILED - Certificate is NOT Trusted: validation failed: CandidatesExhausted(Other("Certificate extension has incorrect criticality"))' errors:
image

I am also adding the fact that I can connect to the server just fine from a browser by simply installing the self-signed CA file as trusted in Windows.

UPDATE: The errors do not show up in version 5.2.0, so this issue probably has to do with switching to the Python Cryptography certificate validation I saw in the changelog. However, even on 5.2.0, I am getting a valid certificate if I use the server's certificate as the certinfo_ca_file, which I don't think is intended behavior.

To Reproduce
Steps to reproduce the behavior:

  1. Download the SSLyze 6.0.0 binaries for Windows from GitHub
  2. Set up an HTTPS server having an SSL certificate that's signed by a self-signed CA.
  3. Run sslyze.exe --certinfo --certinfo_ca_file PATH_TO_SELF_SIGNED_CA SERVER_ADDRESS
  4. See errors
  5. However, running sslyze with --certinfo_ca_file pointing to the server's very certificate works just fine. Why is this happening?

Expected behavior
Command should run properly by passing the self-signed CA file. Also, I doubt it should work with the server's certificate passed as a CA as the CA should be used precisely for validating the server's certificate.

Python environment (please complete the following information):

  • Windows Server 2022
  • Python 3.11.8.
    Also tried running the tool from another computer on the local network running:
  • Windows 11 Enterprise
  • Python 3.11.9.

[Forgive my bad terminology, please.. I used 'self-signed CA' to mean the CA certificate file]
@nabla-c0d3
Copy link
Owner

This seems to be a bug either with the self-signed certificate or with the cryptography's validation logic. There is a similar bug opened there : pyca/cryptography#12124

I don't think it can be "fixed" in SSLyze directly.

@nabla-c0d3 nabla-c0d3 closed this as not planned Won't fix, can't repro, duplicate, stale Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nabla-c0d3 @AlexDanDuna