Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[eval] Fix ssl cert verification failures on clean windows environments #11838

Merged

Conversation

tobil4sk
Copy link
Member

This uses an mbedtls callback to call some windows api functions if verification fails, which avoids certain failures in clean windows environments.

For example, this allows running haxelib via eval in a clean windows environment without the certificate verification failing.

Thanks to @Apprentice-Alchemist and @Aidan63 for their help in solving/debugging the problem!

Warning	C6387	'parameters' could be '0':  this does not adhere to the specification for the function 'CertGetCertificateChain'.

Warning	C6387	'policy_parameters' could be '0':  this does not adhere to the specification for the function 'CertVerifyCertificateChainPolicy'.

This also fixes an "incorrect parameter" runtime error.
We need to do this every time, because if any callback call returns a
non zero flags then the entire verification fails, see:
https://github.com/Mbed-TLS/mbedtls/blob/3aefa5b705846c5d4466ae8747160ae9e5054ea8/library/x509_crt.c#L3031

We don't need to loop through the chain, since mbedtls already loops
through and calls the callback on every certificate in the chain.
This avoids duplicate certificates in the store
The windows api functions won't check this automatically for us without
further modifications, so it's easiest to just respect mbedtls'
judgement and propagate this error.
@Simn Simn merged commit 384c678 into HaxeFoundation:development Nov 25, 2024
50 checks passed
@Simn
Copy link
Member

Simn commented Nov 25, 2024

Thanks a lot guys!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants