Tls_certificate_check: TLS/SSL certificate verification for humans

g-andrade · May 21, 2020, 2:06am

Hi forum,

I’ve the pleasure to announce the release of tls_certificate_check, a library that packs the boilerplate required for verifying the authenticity of certificates presented by TLS servers against a list of trusted certificate authorities.

It wraps certifi and ssl_verify_fun together with the code required for verifying certificate chains in non canonical order.

It’s simple enough to use:

host = "example.com"
port = 443
tls_options = :tls_certificate_check.options(host)
:ssl.connect(host, 443, tls_options)

You’ll no longer need to copy the usual CA validation boilerplate everywhere!

kip · May 21, 2020, 2:16am

This looks great, thanks for the lib. Would you consider also wrapping castore as an option?

g-andrade · May 21, 2020, 11:18am

It’s a good ideia; however, having tls_certificate_check depend on castore directly would complicate compatibility with Erlang (since it’s an Elixir dependency.)

I’m planning to add support for consumer-defined CA lists, though - that could be one way to use castore instead of certifi.

kip · May 21, 2020, 11:20am

Ah, yes, good point. And good solution too since they would allow using platform certificate stores too.

g-andrade · April 2, 2021, 6:27pm

I forgot about this entirely… therefore I created an issue in GitHub to remind me of it.

g-andrade · April 2, 2021, 6:31pm

tls_certificate_check 1.3.0 has been released today.

It now provides the CAs to the API through persistent_term.

(And since I forgot to announce the 1.2.0 update here: certifi is no longer the backing CA store.)

g-andrade · September 3, 2021, 2:12pm

tls_certificate_check 1.9.0 is out!

Highlights:

changed partial chain handling to prepare for DST Root CA X3 expiration on September 30
switched documentation from edoc to ExDoc

Links:

g-andrade · October 1, 2021, 6:10pm

tls_certificate_check 1.10.0 has arrived.

Highlights:

DST Root CA X3, now expired, was removed

g-andrade · October 28, 2021, 5:54pm

tls_certificate_check 1.11.0 is out.

New CAs:

HARICA TLS ECC Root CA 2021
HARICA TLS RSA Root CA 2021
TunTrust Root CA

g-andrade · February 2, 2022, 4:52pm

tls_certificate_check 1.12.0 is out

New CAs:

vtrus ecc root ca
isrg root x2
vtrus root ca
HiPKI Root CA - G1
Autoridad de Certificacion Firmaprofesional CIF A62634068

Updated CAs:

gts root r4
gts root r3
gts root r1
gts root r2
GlobalSign ECC Root CA - R4

Removed CAs:

GlobalSign Root CA - R2
cybertrust global root

g-andrade · January 11, 2023, 7:02pm

That took me a while!

tls_certificate_check 1.17.0 is out, and it does a couple of cool new things.

For OTP 25+, it now uses OTP-trusted CAs by default - if any / when available, falling back to the bundled CAs otherwise (this is tweakable).

This version also supports overriding the trusted CAs (say, if you’d wish to use CAStore instead.)

cadebward · January 17, 2023, 4:00am

Thanks for the great library, @g-andrade! I’ve noticed since 0.16 and up I get the following error

Generated myapp app
[info] Loading 159 CA(s) from :otp store
[error] GenServer #PID<0.500.0> terminating
** (stop) {:unexpected_info, {:EXIT, #Port<0.7>, :normal}}
Last message: {:EXIT, #Port<0.7>, :normal}
State: {:state, true}

I don’t think it’s critical because it does retry and succeed quickly thereafter, but just thought I’d throw this out there in case it was unexpected.

Thanks again!

g-andrade · January 17, 2023, 4:02pm

Thanks for reporting, @cadebward ! Someone else also reported the issue on GitHub : I’ve released version 1.17.3, which should fix the problem.

g-andrade · February 19, 2023, 7:57pm

tls_certificate_check 1.17.4 no longer fails to start on OTP 25+ when loading OTP-trusted CAs throws an error exception unrelated to undefined modules or functions - it falls back to the bundled CAs as originally intended.