New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Unable to verify leaf signature with TLS connection #38527
Comments
Originally we generated the certificate on Windows using openssl req -x509 -nodes -newkey rsa:2048 \
-keyout localhost.key -out localhost.crt \
-addext "keyUsage = digitalSignature, keyEncipherment" \
-addext "subjectAltName=DNS:localhost" \
-subj "/CN=localhost" The certificate works for curl, Chrome, Node, Go programs, etc, but not Electron (I am testing by using the certificate in Caddy). The problem seems to be It seems like a bug in BoringSSL because I see code in openssl to ignore |
@BlackHole1 sorry for the ping but I noticed you commented on a similar issue and I'm also running into the bug above. Do you have an idea of where the problem could be? |
After some more testing I believe the reason it does not affect Chrome is because it accepts partial chains and that circumvents the |
I can confirm the findings mentioned in #38527 (comment). Removing the @code-asher Thanks for investigating! Is there any hope, that this bug will be solved? |
Thanks for the confirmation! I was looking into putting together a patch for BoringSSL but I have not yet had the time. I think the change itself would be fairly straightforward, but if I recall correctly I got a bit tied up trying to build Electron with changes to BoringSSL. |
This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment! |
Still reproduces in 28.1.1. |
This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment! |
Still reproduces in 29.2.0. |
I saw the PR related to this issue. Can you try again after this PR is merged? |
Thanks for the comment! I think #41689 is unrelated; in the test reproduction we are already passing in the CA so This issue seems to be related to rejecting a self-signed certificate that has a I am happy to try again after #41689 merges just in case though. |
You can try building Electron from the source code using https://github.com/electron/build-tools. |
If I recall correctly, I got some error when running After confirming the patch has the intended effect on Electron I was actually thinking I would try submitting the patch straight to BoringSSL itself, if they are amenable. I feel it does not really have enough impact to warrant Electron maintaining a patch for it. So with that in mind, it might not make sense to keep this issue opened here. |
Preflight Checklist
Electron Version
v25.0.0
What operating system are you using?
Windows
Operating System Version
Windows 10 19045.2965
What arch are you using?
x64
Last Known Working Electron version
No response
Expected Behavior
Using a self-signed certificate to create a TLS connection with a custom CA when running Electron as NodeJS successfully performs the request without error.
Actual Behavior
The request fails with the following stacktrace:
Testcase Gist URL
https://gist.github.com/kylecarbs/3eeb7d35a5fd6d9828e675f467144947
Additional Information
Reproduction:
server.js
in a background terminalnode client.js
and observeWorking!
being output.ELECTRON_RUN_AS_NODE=1 electron.exe client.js
and observe the error.It's possible I'm missing something obvious here. I've reproduced this on Linux and Windows.
The text was updated successfully, but these errors were encountered: