Build failure due to MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION about uacme HOT 6 CLOSED

Unfortunately mbedTLS is very blunt here: instead of checking unknown critical extensions at the point of use, it refuses to load any certificate with such extensions from a file or memory buffer, unless compiled with MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.

Therefore since TLS-ALPN-01 validation requires a new critical extension that mbedTLS does not know about: https://tools.ietf.org/html/rfc8737#section-6.1 you simply can not use ualpn with mbedTLS unless you build it with that option.

You can exclude ualpn from the build by adding the --without-ualpn option to configure. On buildroot ualpn has its own enable menu option (disabled by default): https://git.buildroot.net/buildroot/tree/package/uacme/Config.in

Do you think there is any value in adding a test in configure.ac to disable ualpn automatically unless mbedTLS is built with MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION?

from uacme.

Thanks for the clarification, I think that you can let your code like this for now.

I'll try to cook a patch to enable MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION in mbedtls/Config.in

Then, I'll select this new option if mbedtls is enabled and BR2_PACKAGE_UACME_UALPN is set. I'll copy/paste your explanation in the Config.in so the user is aware of the potential security risk. I think that the best option for the end user.

from uacme.

Ok, thanks. I'm closing the issue then,

from uacme.

@ndilieto in the end it's possible to use mbedtls for ualpn ? openwrt has now mbedtls-2.16.12

from uacme.

Yes, but you either need mbedtls version 2.23.0 or higher, or you must configure 2.16 with MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION

Mbed-TLS/mbedtls#3243 (comment)

Mbed-TLS/mbedtls#3241

from uacme.

thanks, I'll try to push for updated version

from uacme.