crocs-muni / usable-cert-validation Goto Github PK
View Code? Open in Web Editor NEWResearch initiative to make TLS certificate validation usable.
Home Page: https://x509errors.org
License: MIT License
Research initiative to make TLS certificate validation usable.
Home Page: https://x509errors.org
License: MIT License
Get rid of the extensive number of useless blank lines.
...and archive the old one to x509errors.cz/devconf2018.
Based on Petr's paper
On the website, in the error list, there's "the project GitHub" links. Clicking on them results in 404.
One example is https://github.com/crocs-muni/usable-cert-validation/tree/master/errors/X509_%C2%ADV_%C2%ADERR_%C2%ADCERT_%C2%ADNOT_%C2%ADYET_%C2%ADVALID.
If you look closely, they contain %C2%AD
which is "SOFT HYPHEN" Unicode character.
Currently, the "rolldowns" with details about various errors cannot be expanded without JavaScript enabled, which makes the page somewhat less usable.
One solution would be to use the <details>
and <summary>
HTML5 elements, although they are not universally supported.
Another solution, in the spirit of progressive enhancement and unobtrusive JavaScript, the rolldowns could be expanded by default and only collapsed upon page load in browsers that run scripts.
Write example code performing TLS connection in OpenSSL and incorporate it in the repo.
To reflect changes in the OpenSSL documentation, parse and generate the original .pod
file with the documentation: https://github.com/openssl/openssl/blob/master/doc/man1/openssl-verify.pod
Currently, the archives contain many files (certificates, keys, CSRs, expected outputs). Certificates would be sufficient.
Secondly, the folder structure in the archive can be much simpler (just the error case folder).
First step: Consult Matej Grabovsky (PA193 experiment).
If it's really duplicity, submit a merge request to update the one with less info.
Don't build the web on GitHub servers – build on Travis instead and just push generated files to GitHub (the same way faktaoklimatu.cz does). This way, local plugins can be used.
On your local machine, set up and test a local build. At least make certs
and make web
should succeed. If you decide to install Jekyll, make web-local
should also succeed.
You should not push changes that do not compile locally -- currently, the build is broken (you're getting notification emails with every still failing push). This in practice means the web deploy will not run and I cannot see my changes online.
Look up what's wrong with X509_V_ERR_CA_MD_TOO_WEAK.
Generated certs produce the right error with OpenSSL 1.1.1, but with OpenSSL 1.1.1.c FIPS, the validation succeeds.
Try higher auth_level, level 2 is currently used when verifying.
See: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html
There is 3 of them:
X509_V_OK
X509_V_ERR_UNSPECIFIED
X509_V_ERR_PROXY_SUBJECT_INVALID
I.e. create the corresponding YAML files. For tags, [ openssl ]
is sufficient now (we'll do the sectioning together).
Currently, some error cases use --infile endpoint.crt
and others < endpoint.crt
. Unify this for the former one.
Check which version of OpenSSL runs on Travis CI. Consider using the current master, i.e. building our own.
When a certificate chain fails to validate with the correct error message, the make fails.
However, if we try to build second time, then the chain had already been generated, no tests are run, and Make finishes correctly (even though it shouldn't).
What would be the correct way to solve this?
And link resulting ZIP files in the error list.
Add the dedicated authors file.
Currently, OpenSSL verification commands only had a single line. However, some GnuTLS commands (e.g. X509_V_ERR_CRL_HAS_EXPIRED) have multiple lines. Are all these necessary? I do not think so. On the other hand, the possibility of multiple lines complicates displaying them.
web/_data/error.yml
.Think it through and have consistent and accessible naming and error data.
Further considerations:
Look up what they are and where they should belong.
These are:
X509_V_ERR_AKID_SKID_MISMATCH
X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
X509_V_ERR_NO_ISSUER_PUBLIC_KEY
X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH
X509_V_ERR_UNNESTED_RESOURCE
X509_V_ERR_OCSP_VERIFY_NEEDED
Comments can be added (starting with #) to separate sections.
Be transparent to which version of the documentation are we relating.
Update generation of the web version in the footer using metadata instead of a custom bash script (the way faktaoklimatu.cz does).
Depends on #34.
What changes are to be done in OpenSSL 3.0? Are any of them relevant to us?
Install libraries, run a CLI where available, otherwise write validation code.
E.g.:
Services are deprecated.
Including:
May or may not be useful -- this gives more emphasis on the situation in OpenSSL.
Such as security.txt
, humans.txt
and robots.txt
.
For each case and library used, have the expected output in a file.
Have descriptions/stories of the main use cases:
These will help us adjust the web to help accomplish these use cases.
First ideas:
Write a short contributing guide.
See for example https://github.com/kmindi/special-files-in-repository-root
Ask Petr Sekan or Matus Nemec to help.
Create example certificates for some error codes.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.