TLS: Check EKU in X509 chain checks #2670

NickCraver · 2024-03-12T14:47:33Z

Further hardening following #2665. This is an additional check to match the .NET implementation for TLS cert checks so that we don't treat a cert flagged as non-TLS-server effectively. This ensures that a certificate either doesn't have OIDs here (valid, backwards compatible) or has the server-certificate OID indicating it's valid for consumption over TLS for us.

Cheers @bartonjs for the report and info here.

This is an additional check to match the .NET implementation for TLS cert checks so that we don't treat a cert flagged as non-TLS-server effectively. This ensures that a certificate either doesn't have OIDs here (valid, backwards compatible) or has the server-certificate OID indicating it's valid for consumption over TLS for us.

philon-msft

Tests successfully on Azure Redis cache

NickCraver added 2 commits March 11, 2024 11:04

2.7.33 Release notes

60e5d17

NickCraver requested a review from philon-msft March 12, 2024 14:47

philon-msft approved these changes Mar 12, 2024

View reviewed changes

bartonjs approved these changes Mar 12, 2024

View reviewed changes

Update release notes

3617ebc

NickCraver merged commit 2f69707 into main Mar 12, 2024
7 checks passed

NickCraver deleted the craver/tls-trusted-issuer-eku branch March 12, 2024 21:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TLS: Check EKU in X509 chain checks #2670

TLS: Check EKU in X509 chain checks #2670

NickCraver commented Mar 12, 2024

philon-msft left a comment

TLS: Check EKU in X509 chain checks #2670

TLS: Check EKU in X509 chain checks #2670

Conversation

NickCraver commented Mar 12, 2024

philon-msft left a comment

Choose a reason for hiding this comment