Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apple certificate update #188

Open
ream88 opened this issue Mar 1, 2021 · 2 comments
Open

Apple certificate update #188

ream88 opened this issue Mar 1, 2021 · 2 comments

Comments

@ream88
Copy link
Contributor

ream88 commented Mar 1, 2021

Hello,

I recently received (like many others) an email from Apple, stating the following:

On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.
Note that Apple Push Notification service SSL provider certificates issued to you by Apple do not need be to updated at this time.
Learn more about connecting to APNs.

Is pigeon affected by this? Do I need to change/update something so my apps continue to work?
@subsetpark
Copy link

I'm in the same boat. I think that this happens at a lower level. Apple wants you to ensure that you have a certain root certificate in your "trust store", which is the collection of certificates that can be sources of trust for signed certificates. I believe that Pigeon, like the rest of Elixir applications, relies on the certificates in the :certifi package. And that AAA cert that Apple is switching to is already present in :certifi.

That said, if you use Pigeon without having :certifi installed, that blows my theory to bits and I'd like to know it!

@hpopp
Copy link
Member

hpopp commented Mar 5, 2021

I took a couple days to dig around and investigate before answering, but @subsetpark beat me to it.

So the good news:
Pigeon will work just fine as is.

The bad news:
It works because pigeon lacks CA validation.

Yesterday I learned that the Erlang's :ssl application does not in fact pull the host OS's CA certificates by default. This has somehow escaped my notice in both of pigeon's http/2 client implementations (chatterbox and kadabra). I'm surprised an issue hasn't been raised until now.

How to Fix

I have published Kadabra 0.6.0 with certifi (~> 2.5) installed by default. I will be publishing a 1.6.1 release for pigeon that bumps kadabra to this minimum required version.

This kadabra release should be compatible as far back as pigeon 1.2.0, though you will need to override in your deps:

[
  {:kadabra, "~> 0.6.0", override: true},
]

I'll be doing an impact analysis and putting out a security notice. ADM pushes are not affected, as they use hackney for traditional HTTP requests. Anyone using a custom http/2 client adapter is not affected by kadabra's vulnerability either, though you will need to verify that library does not have a similar issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hpopp @ream88 @subsetpark