Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain
> On Aug 9, 2016, at 2:52 PM, Salz, Rich via RTwrote: > > As Viktor pointed out, this doesn't work in 1.0.1 The story is a bit more complicated. What's really going on is that root (self-signed) CAs in the trust store are backwards-compatible implicit trust-anchors for all purposes. Intermediate certificates require auxiliary trust settings in the trust store to specify any purposes for which they are trusted or rejected as trust-anchors. Trusted certificates can be created via the "-addtrust" option of "openssl x509". I've not checked 1.0.1, but explicitly trusted intermediates are likely to work with 1.0.1 if decorated as trusted via: openssl x509 -in cert.pem -trustout -addtrust serverAuth -out trusted.pem or: openssl x509 -in cert.pem -trustout -addtrust anyExtendedKeyUsage -out trusted.pem or similar. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain
> Why do you have to trust root CAs? Why can't you trust at a lower level, e.g. > an intermediate CA or even a leaf certificate that is not a CA at all? I said CA's, not root CA's. As Viktor pointed out, this doesn't work in 1.0.1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain
Why do you have to trust root CAs? Why can't you trust at a lower level, e.g. an intermediate CA or even a leaf certificate that is not a CA at all? Allowing this should inject no security issue and in fact enhance security by allowing you to be more restrictive in what you are willing to trust. W. Matthew Edmonds IBM Systems & Technology Group Email: edmon...@us.ibm.com Phone: (919) 543-7538 / Tie-Line: 441-7538 From: Rich Salz via RTTo: William M Edmonds/Raleigh/IBM@IBMUS Cc: openssl-dev@openssl.org Date: 08/08/2016 09:47 PM Subject:[openssl.org #4644] bug: cert verification always examining entire chain You have to create a trust store with the CA's that you trust. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain
On Tue, Aug 09, 2016 at 10:53:59AM +0100, David Woodhouse wrote: > > As expected, unless you use the "-partial" flag in the command-line > > utilities, or use the X509_VERIFY_PARAM_set_flags() to set the > > X509_V_FLAG_PARTIAL_CHAIN flag when using the API. > > Is there an equivalent for 1.0.1? None that I'm aware of, partial chain support was added in 1.0.2. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain
On Tue, 2016-08-09 at 02:08 +, Viktor Dukhovni wrote: > On Tue, Aug 09, 2016 at 01:45:24AM +, William M Edmonds via RT wrote: > > > > > If I specify a CAfile that includes the leaf certificate and/or > > intermediate CA certificates, but not the root certificate, then > > verification fails. > > As expected, unless you use the "-partial" flag in the command-line > utilities, or use the X509_VERIFY_PARAM_set_flags() to set the > X509_V_FLAG_PARTIAL_CHAIN flag when using the API. Is there an equivalent for 1.0.1? -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain
On Tue, Aug 09, 2016 at 01:45:24AM +, William M Edmonds via RT wrote: > If I specify a CAfile that includes the leaf certificate and/or > intermediate CA certificates, but not the root certificate, then > verification fails. As expected, unless you use the "-partial" flag in the command-line utilities, or use the X509_VERIFY_PARAM_set_flags() to set the X509_V_FLAG_PARTIAL_CHAIN flag when using the API. This ticket should be closed. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev