[sword-devel] Self signed certs during module install [was: SWORD 1.8.0RC3]

Troy A. Griffitts scribe at crosswire.org
Mon Jun 26 02:38:57 MST 2017


So, the background and original thinking with this: It was originally
turned on because it wasn't too long ago that CrossWire used self-signed
certificates.

My thinking was, primary security concern are twofold: 1) It's not like
a browser where a user is sending data; we're not enabling user data
transmission, but instead just Bible downloads. 2) persecuted countries;
the destination isn't masked by using https, only which Bible. If
someone is monitoring the download from our site, an authenticated host
connection won't hide that, and if they are monitoring the content, then
it is only the Scriptures.

I'm certainly willing to add a compile flag to enable/disable
self-signed certs.  I'm also willing to make this a runtime option for
the client of the library.

Troy


On 06/26/2017 11:26 AM, Jaak Ristioja wrote:
> I think we need to make a distinction between developers and end users
> here. IMHO it were best if the end user were presented with a choice
> about whether to trust the self-signed, unverified or invalid
> certificates, and perhaps also provide means to trust the presented
> certificate permanently.
>
> PS: I haven't tested it, but adding the self-signed certificates to the
> root CA store might be a valid workaround for development purposes.
>
> On 26.06.2017 12:15, Peter Von Kaehne wrote:
>> Fair point, but a change from one to the other may be preferable for philosophical reasons, but practically I - and others - need to be able as users to make a determination what we want to accept and what not, instead of being forced into one direction. And, as tool writer and user (not frontend writer) I need to be able to override such things mechanically, i.e. without further user interaction.  
>>
>>> Gesendet: Montag, 26. Juni 2017 um 10:04 Uhr
>>> Von: "Jaak Ristioja" <jaak at ristioja.ee>
>>> An: sword-devel at crosswire.org
>>> Betreff: Re: [sword-devel] SWORD 1.8.0RC3
>>>
>>> Overriding this setting was never possible with Sword in the first place.
>>>
>>> On 26.06.2017 11:05, refdoc at gmx.net wrote:
>>>> As a user I would want to be able to override this, does this patch make
>>>> this impossible?
>>>>
>>>> Sent from my mobile. Please forgive shortness, typos and weird autocorrects.
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: Re: [sword-devel] SWORD 1.8.0RC3
>>>> From: Jaak Ristioja
>>>> To: sword-devel at crosswire.org
>>>> CC:
>>>>
>>>>
>>>>     Sure! Verifying TLS certificates is explicitly disabled the file
>>>>
>>>>     src/mgr/curlhttpt.cpp
>>>>
>>>>     by the lines:
>>>>
>>>>     /* Disable checking host certificate */
>>>>     curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
>>>>
>>>>     I've attached a patch for Sword SVN trunk which removed these lines. For
>>>>     the Sword++ commit, see
>>>>     https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6
>>>>
>>>>     J
>>>>
>>>>
>>>>     On 26.06.2017 04:10, Greg Hellings wrote:
>>>>     > Jaak,
>>>>     >
>>>>     > Can you provide a version of that patch for 1.7 (and 1.8, if there
>>>>     is a
>>>>     > difference)? Or point me to where it lives? I will definitely wrap
>>>>     that
>>>>     > into the packaging for Fedora and SuSE as it is absolutely
>>>>     inappropriate
>>>>     > to have SSL checking skipped at the library level without it being a
>>>>     > very explicit step for users.
>>>>     >
>>>>     > If Troy won't fix this glaring security hole, it can at least be fixed
>>>>     > by the packagers. I would encourage any Debian and/or Ubuntu users to
>>>>     > file bugs against Sword packaging in their environments (if their
>>>>     > maintainer isn't here) and the same for any other distribution users.
>>>>     >
>>>>     > --Greg
>>>>     >
>>>>     > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:
>>>>     >
>>>>     > Regarding TLS, I think the choice of whether to trust a self-signed
>>>>     > certificate should explicitly be left to the user at run-time (e.g
>>>>     like
>>>>     > browsers do), rather than blindly accepting any (even expired?)
>>>>     > certificates.
>>>>     >
>>>>     > Regarding the other fix, frontends can (and already do) handle
>>>>     threading
>>>>     > by themselves, but afaik even for a single-threaded process the
>>>>     > callbacks accepted by Sword have no direct means to terminate the
>>>>     > installation process (e.g. by return value, or via a another callback
>>>>     > provided to the callback). So it seems that you're either saying that
>>>>     >
>>>>     > 1) Sword users have no means to terminate potentially long-running
>>>>     > processes (and there's no plan to add such means), or
>>>>     > 2) RemoteTransport::terminate() should never be called separately, but
>>>>     > exclusively only from inside callbacks invoked by Sword.
>>>>     >
>>>>     > In the latter case, this should be made clear in the documentation.
>>>>     >
>>>>     > Blessings,
>>>>     > J
>>>>     >
>>>>     > On 25.06.2017 21 :53, Troy A. Griffitts wrote:
>>>>     > > We have included some of your patches in the past (thank you
>>>>     > again), but
>>>>     > > not these. The first is intentional. We want to work with self
>>>>     signed
>>>>     > > certs if necessary. Non of our content is private, only the fact
>>>>     > that a
>>>>     > > user might access our server and for this, we ask all our
>>>>     frontends to
>>>>     > > warn against this for persecuted countries. The second goes
>>>>     > against our
>>>>     > > policy in the library that all threading should be handled by the
>>>>     > > client, not the library. The client should instantiate an
>>>>     > InstallMgr in
>>>>     > > its own thread and register threads are callbacks, if they wish to
>>>>     > > install in the background. If we start trying to handle threading
>>>>     > in the
>>>>     > > library itself, it is a huge switch from current policy and
>>>>     depends on
>>>>     > > support for threading in all our compilers. Easy enough to just
>>>>     > > instantiate separate SWMgr instances per thread. But thank you for
>>>>     > offering.
>>>>     > > Troy
>>>>     > >
>>>>     > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
>>>>     > >
>>>>     > > wrote:
>>>>     > >
>>>>     > > Hi Troy!
>>>>     > >
>>>>     > > It seems that no fixes from Sword++ were considered for
>>>>     > inclusion in SVN
>>>>     > > trunk, not even the two I explicitly proposed on this list in
>>>>     > response
>>>>     > > to the RC2 announcement: one fixing hangs in front ends and
>>>>     > the other
>>>>     > > fixing a pure security negligence which rendered SSL/TLS
>>>>     > susceptible to
>>>>     > > MitM attacks.
>>>>     > >
>>>>     > > ?!?!
>>>>     > >
>>>>     > > J
>>>>     > >
>>>>     > > On 25.06.2017 18 :51, Troy A. Griffitts
>>>>     > wrote:
>>>>     > >
>>>>     > > Again, thank you to all the testers and reporters of problems
>>>>     > > for the
>>>>     > > previous RC and those who contributed fixes. Hopefully, this
>>>>     > > will stand
>>>>     > > any scrutiny and become 1.8.0. Please let me know if you have
>>>>     > > any feedback.
>>>>     > >
>>>>     > >
>>>>     > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>>>>     >
>>>>     > >
>>>>     > >
>>>>     > > Included since last RC:
>>>>     > >
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>>>>     > > 2 lines
>>>>     > >
>>>>     > > Reworked strongs and lemma filters to better support any combo
>>>>     > > of toggle
>>>>     > > Added osisxhtml lemma type= support for other than Greek, Hebrew
>>>>     > > strongs
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>>>>     > > 3 lines
>>>>     > >
>>>>     > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>>>>     > >
>>>>     > > also updated CMakeList.txt to build new examples
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>>>>     > > 1 line
>>>>     > >
>>>>     > > added listbiblebooknames example
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>>>>     > > 1 line
>>>>     > >
>>>>     > > added flatapi installmgr example
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>>>>     > > 2 lines
>>>>     > >
>>>>     > > added Belarussian locale file
>>>>     > >
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>>>>     > > 1 line
>>>>     > >
>>>>     > > French translation update (Contrib. from Cyrille)
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > >
>>>>     > >
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > sword-devel mailing list: sword-devel at crosswire.org
>>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     >
>>>>     > > Instructions to unsubscribe/change your settings at above page
>>>>     > >
>>>>     > >
>>>>     > >
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > sword-devel mailing list: sword-devel at crosswire.org
>>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     >
>>>>     > > Instructions to unsubscribe/change your settings at above page
>>>>     > >
>>>>     > >
>>>>     > > --
>>>>     > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>>     > >
>>>>     > >
>>>>     > > _______________________________________________
>>>>     > > sword-devel mailing list: sword-devel at crosswire.org
>>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     >
>>>>     > > Instructions to unsubscribe/change your settings at above page
>>>>     > >
>>>>     >
>>>>     >
>>>>     > _______________________________________________
>>>>     > sword-devel mailing list: sword-devel at crosswire.org
>>>>     >
>>>>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     >
>>>>     > Instructions to unsubscribe/change your settings at above page
>>>>     >
>>>>     >
>>>>     >
>>>>     >
>>>>     > _______________________________________________
>>>>     > sword-devel mailing list: sword-devel at crosswire.org
>>>>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     > Instructions to unsubscribe/change your settings at above page
>>>>     >
>>>>
>>>>
>>>>     _______________________________________________
>>>>     sword-devel mailing list: sword-devel at crosswire.org
>>>>     http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     Instructions to unsubscribe/change your settings at above page
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> sword-devel mailing list: sword-devel at crosswire.org
>>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>>> Instructions to unsubscribe/change your settings at above page
>>>>
>>>
>>> _______________________________________________
>>> sword-devel mailing list: sword-devel at crosswire.org
>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>> Instructions to unsubscribe/change your settings at above page
>>>
>> _______________________________________________
>> sword-devel mailing list: sword-devel at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
>>
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page




More information about the sword-devel mailing list