Supporting x.509 v1 certificates and v3 certificates with no extensions #29
Comments
|
What's your use case for these? |
|
Support for v3 certificates without extensions is actually quite important for our project, e.g., to be backward-compatible with self-signed certificates (that we generated using openssl) that are deployed in production and difficult to change. We were waiting for briansmith/webpki#219 (which has quite a bit of support via 👍) to be resolved (via briansmith/webpki#241) for a long time now (almost 2 years), but unfortunately it hasn't happened yet. For the time being, we are working with a private fork of briansmith/webpki, but maintaining it is cumbersome and we'd be very happy to see this addressed in rustls/webpki (e.g., via briansmith/webpki#241). |
|
I'm writing a gemini browser and I see a fair amount of servers with v1 certificates in the wild. |
|
I'm quite hesitant to see support for X509 v1 certificates and don't think there's been enough compelling evidence presented to motivate support in this crate. Is that the only remaining aspect keeping this ticket open now that the V3 sans extensions work has landed? |
Why's that?
I think so. |
I think it's more code surface for limited benefit. X509v3 was standardized in ~1996 and the web PKI has required V3 for over a decade. I believe remaining use-cases of V1 are largely self-signed certificates generated with poor defaults and I don't think the deployment of those certificates in 2023 is wide spread enough to merit adopting workarounds (or at least haven't been convinced of that yet). |
|
That sounds like a fair argument. I say we're good with @fspreiss work. |
|
Thanks for your gracious response, will close this. |
|
If it turns out that for some reason V1 certificates are in widespread use in the MQTT ecosystem, perhaps we should reconsider this? |
|
Do we know that they're in widespread use beyond |
|
I don't know -- just speculating that there might be some obscure reason some ecosystems are sticking to V1. |
According to rfc5280, x509v3 was standardised in June 1996. RusTLS only accepts v3 certificates rejected the v1 default. (ref: rustls/webpki#29 (comment)) It seems reasonable that all client libraries can accept v3. Thanks Austin Bonander for the suggested patch.
According to rfc5280, x509v3 was standardised in June 1996. RusTLS only accepts v3 certificates rejected the v1 default. (ref: rustls/webpki#29 (comment)) It seems reasonable that all client libraries can accept v3. Thanks Austin Bonander for the suggested patch.
According to rfc5280, x509v3 was standardised in June 1996. RusTLS only accepts v3 certificates rejected the v1 default. (ref: rustls/webpki#29 (comment)) It seems reasonable that all client libraries can accept v3. X509_VERSION_3 has a fixed value of 2, but isn't defined in OpenSSL-1.1.1. Thanks Austin Bonander for the suggested patch.
According to rfc5280, x509v3 was standardised in June 1996. RusTLS only accepts v3 certificates rejected the v1 default. (ref: rustls/webpki#29 (comment)) It seems reasonable that all client libraries can accept v3. X509_VERSION_3 has a fixed value of 2, but isn't defined in OpenSSL-1.1.1. Thanks Austin Bonander for the suggested patch.
I wonder if it's in the interest of this fork to support these two types of certificates. The original repository already has two open pull requests to add these features:
The text was updated successfully, but these errors were encountered: