Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate thumbprints should not be case-sensitive #605

Closed
1 task done
khellang opened this issue May 3, 2024 · 2 comments
Closed
1 task done

Certificate thumbprints should not be case-sensitive #605

khellang opened this issue May 3, 2024 · 2 comments
Labels
team/server-at-scale Describes the Octopus Deploy team called Server At Scale

Comments

@khellang
Copy link

khellang commented May 3, 2024
edited

Team

  • I've assigned a team label to this issue

What happened?

Providing a thumbprint with different casing on the client and server-side gives the following exception:

The server at https://localhost:8080/ presented an unexpected security certificate. We expected the server to present a certificate with the thumbprint 'a7b12a038945afdee39661bcf59cf1600c811122'. Instead, it presented a certificate with a thumbprint of 'A7B12A038945AFDEE39661BCF59CF1600C811122' and subject ''.

As you can see, the thumbprint is correct, but differs in casing. It expected lowercase, but got uppercase. Certificate thumbprints are a hex-string representation of SHA-based hashes and shouldn't be treated as equal whether they are upper- or lower case.

Reproduction

Provide a thumbprint with different casing on the client and server-side.

Workaround

Aligning the thumbprints with the same case fixes the problem.
@khellang khellang mentioned this issue May 3, 2024
Closed
3 tasks
@rhysparry rhysparry added the team/server-at-scale Describes the Octopus Deploy team called Server At Scale label May 6, 2024
@LukeButters
Copy link
Contributor

Hi thanks for raising an issue :D.

It looks like thumbprints are always upper case hex:

The comparison here is between what it received over the stream (which in the error message is upper case) and what was set on the ServiceEndpoint (which in the error message is lower case). A fix could be to always upper case the thumbprint given to the ServiceEndpoint. If that isn't suitable let us know :)

@khellang
Copy link
Author

khellang commented May 13, 2024
edited

A fix could be to always upper case the thumbprint given to the ServiceEndpoint. If that isn't suitable let us know :)

I guess it's suitable and it would effectively make it case-insensitive, but why bother when you can avoid the allocation?

Thumbprints are hexadecimal representations of the SHA1 (or sometimes SHA256) digest bytes of a certificate. Hexadecimal bytes are case-insensitive (i.e. 2A and 2a both represent the decimal value 42) and there are lots of ways to obtain the thumbprint of a certificate. Here's a screenshot from certmgr in Windows, showing the thumbprint as lowercase:

image

Anyway, it's not a blocker as its easy to work around, but it would be nice if it just worked out of the box, whether that is by doing case-insensitive comparisons or calling ToUpper on both ends. 😀

@khellang khellang closed this as not planned Won't fix, can't repro, duplicate, stale May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
team/server-at-scale Describes the Octopus Deploy team called Server At Scale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Treat thumbprints as case-insensitive khellang/Halibut
3 participants
@rhysparry @khellang @LukeButters