MarketTakers/arbiter
6
0
Fork 0
Code Issues 27 Pull Requests 2 Packages Projects Releases Wiki Activity

security(useragent): validate server cert fingerprint and host instead of accepting all certificates #88

Closed
CleverWild wants to merge 1 commits from check-uac-cerf into main
pull from: check-uac-cerf
merge into: MarketTakers:main
Conversation 1 Commits 1 Files Changed 2 +54 -1
CleverWild commented 2026-04-10 12:44:42 +00:00
Member
Copy Link

closes #37

closes #37
CleverWild added 1 commit 2026-04-10 12:44:42 +00:00
security(useragent): validate server cert fingerprint and host instead of accepting all certificates
Some checks failed
ci/woodpecker/pr/useragent-analyze Pipeline failed
Details
9e1ab51398
CleverWild requested review from Skipper 2026-04-10 12:44:42 +00:00
Skipper commented 2026-04-11 08:06:21 +00:00
Owner
Copy Link

I appreciate the effort, but sadly this is wrong solution.
So first of all, we pin based on root CA, not leaf CA.
This means that we check if signer that signed presented certificate by server is trusted by us.
So basically, we should check hash of signer, not hash of certificate itself.

Secondly, we just don't hash the whole certificate.
To preserve space, webpki in rust ecosystem doesn't store full certificate: it stores TrustAnchors. Those are just pubkey + expire and some more data.

In conclusion, to make this correct, I am planning to use rust bindings in my branch.

https://docs.rs/webpki/latest/webpki/struct.TrustAnchor.html

I appreciate the effort, but sadly this is wrong solution. So first of all, we pin based on root CA, not leaf CA. This means that we check if signer that signed presented certificate by server is trusted by us. So basically, we should check hash of signer, not hash of certificate itself. Secondly, we just don't hash the whole certificate. To preserve space, `webpki` in rust ecosystem doesn't store full certificate: it stores `TrustAnchors`. Those are just pubkey + expire and some more data. In conclusion, to make this correct, I am planning to use rust bindings in my branch. https://docs.rs/webpki/latest/webpki/struct.TrustAnchor.html
Skipper closed this pull request 2026-04-11 08:06:21 +00:00
Some checks are pending
ci/woodpecker/pr/useragent-analyze Pipeline failed
Details
ci/woodpecker/pr/server-audit
Required
ci/woodpecker/pr/server-lint
Required
ci/woodpecker/pr/server-test
Required

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Skipper
Labels
Clear labels
Compat
Breaking
Breaking change that won't be backward compatible
Difficulty
High
3
Hard difficulty. Experience needed to fix: A lot.
Difficulty
Low
1
Easy difficulty. Experience needed to fix: Not much. Good first issue.
Difficulty
Medium
2
Medium difficulty. Experience needed to fix: Intermediate.
Kind
Bug
This is a bug.
Kind
Enhancement
Improve existing functionality.
Kind
Feature
New functionality
Kind
RFC
Request for comments
Kind
Security
This is security issue
Kind
Testing
This is testing issue.
Kind
Tracking issue
An issue tracking the progress of sth. like the implementation of an RFC
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Pending
4
Requires review by dev
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
CleverWild Skipper Tangonell goodvin testuser
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MarketTakers/arbiter#88
Delete Branch "check-uac-cerf"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?