imap-send: explicitly verify the peer certificate #1886

dscho · 2025-03-24T11:08:49Z

No description provided.

It is a bug to obtain the peer certificate without verifying it. Having said that, from my reading of https://www.openssl.org/docs/man1.1.1/man3/SSL_set_verify.html, it would appear that Git is saved by the fact that it calls `SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL)` already early on. In other words, that `SSL_VERIFY_PEER` combined with the `NULL` parameter (i.e. no overridden callback) would _already_ verify the peer certificate. The fact that we later call `SSL_get_peer_certificate()` is mistaken by CodeQL to mean that that peer certificate still needs to be verified, but that had already happened at that point. Nevertheless, it is better to verify the peer certificate explicitly than to rely on some side effect that is really hard to reason about (and that took me more than one business day to analyze fully). It also makes it easier for static analyzers to validate the correctness of the code. Signed-off-by: Johannes Schindelin <[email protected]>

dscho · 2025-03-24T12:27:13Z

/submit

gitgitgadget · 2025-03-24T12:28:10Z

Submitted as [email protected]

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1886/dscho/imap-send-verify-peer-certificate-v1

To fetch this version to local tag pr-1886/dscho/imap-send-verify-peer-certificate-v1:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1886/dscho/imap-send-verify-peer-certificate-v1

gitgitgadget · 2025-03-25T23:53:25Z

This patch series was integrated into seen via git@702f63f.

gitgitgadget · 2025-03-28T09:14:48Z

This branch is now known as js/imap-send-peer-cert-verify.

gitgitgadget · 2025-03-28T09:14:49Z

This patch series was integrated into seen via git@f397b7c.

gitgitgadget · 2025-03-28T09:14:49Z

This patch series was integrated into next via git@69df4dd.

gitgitgadget · 2025-03-29T22:37:39Z

This patch series was integrated into seen via git@54684bf.

gitgitgadget · 2025-04-07T16:51:17Z

There was a status update in the "Cooking" section about the branch js/imap-send-peer-cert-verify on the Git mailing list:

Will merge to 'master'.
source: <[email protected]>

gitgitgadget · 2025-04-07T22:33:03Z

This patch series was integrated into seen via git@7b420ef.

gitgitgadget · 2025-04-07T22:33:03Z

This patch series was integrated into master via git@7b420ef.

gitgitgadget · 2025-04-07T22:33:04Z

This patch series was integrated into next via git@7b420ef.

gitgitgadget · 2025-04-07T22:33:06Z

Closed via 7b420ef.

dscho self-assigned this Mar 24, 2025

gitgitgadget bot added the seen label Mar 25, 2025

gitgitgadget bot added the next label Mar 28, 2025

gitgitgadget bot added the master label Apr 7, 2025

gitgitgadget bot closed this Apr 7, 2025

dscho deleted the imap-send-verify-peer-certificate branch April 9, 2025 05:59

imap-send: explicitly verify the peer certificate #1886

imap-send: explicitly verify the peer certificate #1886

Uh oh!

Conversation

dscho commented Mar 24, 2025

Uh oh!

dscho commented Mar 24, 2025

Uh oh!

gitgitgadget bot commented Mar 24, 2025

Uh oh!

gitgitgadget bot commented Mar 25, 2025

Uh oh!

gitgitgadget bot commented Mar 28, 2025

Uh oh!

gitgitgadget bot commented Mar 28, 2025

Uh oh!

gitgitgadget bot commented Mar 28, 2025

Uh oh!

gitgitgadget bot commented Mar 29, 2025

Uh oh!

gitgitgadget bot commented Apr 7, 2025

Uh oh!

gitgitgadget bot commented Apr 7, 2025

Uh oh!

gitgitgadget bot commented Apr 7, 2025

Uh oh!

gitgitgadget bot commented Apr 7, 2025

Uh oh!

gitgitgadget bot commented Apr 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant