Add an option (tls_ca_subject) to check the subject of the root certificate, to avoid attacks with leaf certificates generated by compromissed or malicious certificate authorities, this is a key pinning mechanism
patch 7cf737ec305ade9759d13a9fa2f5ef70b6158c45
Author: Enrique D. Bosch <presidev@AT@gmail.com>
Date: Wed Jun 8 00:14:13 CEST 2016
* Add an option (tls_ca_subject) to check the subject of the root certificate, to avoid attacks with leaf certificates generated by compromissed or malicious certificate authorities, this is a key pinning mechanism
hunk ./.idlebiffrc 25
+tls_ca_subject=
hunk ./idlebiff 30
-namespace eval static { variable tag 1 }
+namespace eval static \
+{
+ variable tag 1
+ variable ccsp 0
+ array set ccsu {}
+}
+
hunk ./idlebiff 460
+proc parse_cert_subject { sub } \
+{
+ set cst [ split [ string map { , = / = } $sub ] = ]
+ foreach v $cst { lappend cstp [ string trim $v ] }
+ return $cstp
+}
+
+proc tls_cb { type channel depth cert status error } \
+{
+ variable ::shared::conf
+ variable ::static::ccsu
+ variable ::static::ccsp
+
+ array set ca $cert
+ if { $conf(tls_ca_subject)!="" && $type=="verify" && $ca(subject)==$ca(issuer) } \
+ {
+ array set csu [ parse_cert_subject $ca(subject) ]
+ if !$ccsp \
+ {
+ array set ccsu [ parse_cert_subject $conf(tls_ca_subject) ]
+ set ccsp 1
+ }
+ foreach i [ array names ccsu ] \
+ { if { ![ info exists csu($i) ] || $csu($i)!=$ccsu($i) } { error cert } }
+ }
+}
hunk ./idlebiff 504
- -cipher \"$conf(tls_ciphers)\""
+ -cipher \"$conf(tls_ciphers)\" \
+ -command tls_cb"