Plan 9 from Bell Labs’s /usr/web/sources/contrib/mospak/tls-modern-client/tls-ca-bundle-default.patch

Copyright © 2021 Plan 9 Foundation.
Distributed under the MIT License.
Download the Plan 9 distribution. 


hget, webfs: X.509 chain verification on by default via /sys/lib/tls/ca.pem

Wires hget and webfs to read /sys/lib/tls/ca.pem at connect
time and hand the parsed chain to tlsClient via the
TLSconn.rootCAchain field (added by
libsec-x509-chain-hostname).  When the bundle is present,
tlsClient performs X.509 chain verification + RFC 6125
hostname match + validity-window enforcement before returning
success.

/sys/lib/tls/ca.pem already ships in 9legacy as a Mozilla NSS
root bundle extracted via mk-ca-bundle.pl.  Until this patch
nothing in the tree read it.  The end user owns the file and
can refresh it at any time:

    hget https://curl.se/ca/cacert.pem > /sys/lib/tls/ca.pem

No rebuild or reboot is needed after a bundle refresh; hget
and webfs re-read the file per HTTPS request.

Opt-out (machine-wide, persistent): rename or delete the
bundle.  readcertchain returns nil, TLSconn.rootCAchain stays
nil, and tlsClient falls back to the pre-patch
thumbprint-only trust model.

Other TLS consumers (upas/fs imap4/pop3, upas/smtp,
tlsclient) are unchanged — they use thumbprints against
/sys/lib/tls/mail and /sys/lib/tls/smtp respectively.

RFC 5246 §7.4.2 (server Certificate chain); 5280 (X.509 chain
validation); 6125 (hostname match).

--- sys/src/cmd/hget.c
+++ sys/src/cmd/hget.c
@@ -354,13 +354,18 @@
 
 			memset(&conn, 0, sizeof conn);
 			conn.serverName = u->host;	/* SNI: modern servers require it */
+			/* Trust anchors for X.509 chain verification.  readcertchain
+			 * returns nil if the bundle is missing or unreadable, and
+			 * tlsClient falls back to the thumbprint-only model. */
+			conn.rootCAchain = readcertchain("/sys/lib/tls/ca.pem");
 			tfd = tlsClient(fd, &conn);
+			if(conn.rootCAchain)
+				freecertchain(conn.rootCAchain);
 			if(tfd < 0){
 				fprint(2, "tlsClient: %r\n");
 				close(fd);
 				return Error;
 			}
-			/* BUG: check cert here? */
 			if(conn.cert)
 				free(conn.cert);
 			close(fd);
--- sys/src/cmd/webfs/io.c
+++ sys/src/cmd/webfs/io.c
@@ -64,13 +64,18 @@
 
 	memset(&conn, 0, sizeof conn);
 	conn.serverName = host;	/* SNI: modern servers pick a cert based on it */
+	/* Trust anchors for X.509 chain verification.  readcertchain returns
+	 * nil if the bundle is missing or unreadable, and tlsClient falls
+	 * back to the thumbprint-only model. */
+	conn.rootCAchain = readcertchain("/sys/lib/tls/ca.pem");
 
 	tfd = tlsClient(fd, &conn);
+	if(conn.rootCAchain)
+		freecertchain(conn.rootCAchain);
 	close(fd);
 	if(tfd < 0)
 		fprint(2, "%s: tlsClient: %r\n", argv0);
 	else {
-		/* BUG: check cert here? */
 		if(conn.cert)
 			free(conn.cert);
 	}

Bell Labs OSI certified Powered by Plan 9

(Return to Plan 9 Home Page)

Copyright © 2021 Plan 9 Foundation. All Rights Reserved.
Comments to webmaster@9p.io.