TLS: Check EKU in X509 chain checks (#2670)

NickCraver · web-flow · commit 2f69707d8748 · 2024-03-12T17:54:11.000-04:00
Further hardening following #2665. This is an additional check to match the .NET implementation for TLS cert checks so that we don't treat a cert flagged as non-TLS-server effectively. This ensures that a certificate either doesn't have OIDs here (valid, backwards compatible) or has the server-certificate OID indicating it's valid for consumption over TLS for us. Cheers @bartonjs for the report and info here.
diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md
@@ -7,7 +7,7 @@ Current package versions:
 | [![StackExchange.Redis](https://img.shields.io/nuget/v/StackExchange.Redis.svg)](https://www.nuget.org/packages/StackExchange.Redis/) | [![StackExchange.Redis](https://img.shields.io/nuget/vpre/StackExchange.Redis.svg)](https://www.nuget.org/packages/StackExchange.Redis/) | [![StackExchange.Redis MyGet](https://img.shields.io/myget/stackoverflow/vpre/StackExchange.Redis.svg)](https://www.myget.org/feed/stackoverflow/package/nuget/StackExchange.Redis) |
 
 ## Unreleased
-No pending/unreleased changes.
+- TLS certificate/`TrustIssuer`: Check EKU in X509 chain checks when validating cerificates ([#2670 by NickCraver](https://github.com/StackExchange/StackExchange.Redis/pull/2670))
 
 ## 2.7.33
 
diff --git a/src/StackExchange.Redis/ConfigurationOptions.cs b/src/StackExchange.Redis/ConfigurationOptions.cs
@@ -312,6 +312,8 @@ private static RemoteCertificateValidationCallback TrustIssuerCallback(X509Certi
             };
         }
 
+        private static readonly Oid _serverAuthOid = new Oid("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.1");
+
         private static bool CheckTrustedIssuer(X509Certificate2 certificateToValidate, X509Chain? chainToValidate, X509Certificate2 authority)
         {
             // Reference:
@@ -322,6 +324,8 @@ private static bool CheckTrustedIssuer(X509Certificate2 certificateToValidate, X
             chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
             chain.ChainPolicy.VerificationTime = chainToValidate?.ChainPolicy?.VerificationTime ?? DateTime.Now;
             chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
+            // Ensure entended key usage checks are run and that we're observing a server TLS certificate
+            chain.ChainPolicy.ApplicationPolicy.Add(_serverAuthOid);
 
             chain.ChainPolicy.ExtraStore.Add(authority);
             try
