subject:"Re\: \[openssl\-dev\] \[openssl.org #4644\] bug\: cert verification always examining entire chain"

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

2016-08-09 Thread Viktor Dukhovni

> On Aug 9, 2016, at 2:52 PM, Salz, Rich via RT  wrote:
> 
> As Viktor pointed out, this doesn't work in 1.0.1

The story is a bit more complicated.  What's really going on is that
root (self-signed) CAs in the trust store are backwards-compatible
implicit trust-anchors for all purposes.  Intermediate certificates
require auxiliary trust settings in the trust store to specify any
purposes for which they are trusted or rejected as trust-anchors.

Trusted certificates can be created via the "-addtrust" option of
"openssl x509".  I've not checked 1.0.1, but explicitly trusted
intermediates are likely to work with 1.0.1 if decorated as trusted via:

   openssl x509 -in cert.pem -trustout -addtrust serverAuth -out trusted.pem

or:

   openssl x509 -in cert.pem -trustout -addtrust anyExtendedKeyUsage -out 
trusted.pem

or similar.

-- 
Viktor.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

2016-08-09 Thread Salz, Rich via RT

> Why do you have to trust root CAs? Why can't you trust at a lower level, e.g.
> an intermediate CA or even a leaf certificate that is not a CA at all?

I said CA's, not root CA's.

As Viktor pointed out, this doesn't work in 1.0.1

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

2016-08-09 Thread William M Edmonds via RT


Why do you have to trust root CAs? Why can't you trust at a lower level,
e.g. an intermediate CA or even a leaf certificate that is not a CA at all?
Allowing this should inject no security issue and in fact enhance security
by allowing you to be more restrictive in what you are willing to trust.


W. Matthew Edmonds
IBM Systems & Technology Group
Email: edmon...@us.ibm.com
Phone: (919) 543-7538 / Tie-Line: 441-7538



From:   Rich Salz via RT 
To: William M Edmonds/Raleigh/IBM@IBMUS
Cc: openssl-dev@openssl.org
Date:   08/08/2016 09:47 PM
Subject:[openssl.org #4644] bug: cert verification always examining
entire chain



You have to create a trust store with the CA's that you trust.

--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644
Please log in as guest with password guest if prompted




-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

2016-08-09 Thread Viktor Dukhovni

On Tue, Aug 09, 2016 at 10:53:59AM +0100, David Woodhouse wrote:

> > As expected, unless you use the "-partial" flag in the command-line
> > utilities, or use the X509_VERIFY_PARAM_set_flags() to set the
> > X509_V_FLAG_PARTIAL_CHAIN flag when using the API.
> 
> Is there an equivalent for 1.0.1?

None that I'm aware of, partial chain support was added in 1.0.2.

--
Viktor.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

2016-08-09 Thread David Woodhouse

On Tue, 2016-08-09 at 02:08 +, Viktor Dukhovni wrote:
> On Tue, Aug 09, 2016 at 01:45:24AM +, William M Edmonds via RT wrote:
> 
> > 
> > If I specify a CAfile that includes the leaf certificate and/or
> > intermediate CA certificates, but not the root certificate, then
> > verification fails.
> 
> As expected, unless you use the "-partial" flag in the command-line
> utilities, or use the X509_VERIFY_PARAM_set_flags() to set the
> X509_V_FLAG_PARTIAL_CHAIN flag when using the API.

Is there an equivalent for 1.0.1?

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

2016-08-08 Thread Viktor Dukhovni

On Tue, Aug 09, 2016 at 01:45:24AM +, William M Edmonds via RT wrote:

> If I specify a CAfile that includes the leaf certificate and/or
> intermediate CA certificates, but not the root certificate, then
> verification fails.

As expected, unless you use the "-partial" flag in the command-line
utilities, or use the X509_VERIFY_PARAM_set_flags() to set the
X509_V_FLAG_PARTIAL_CHAIN flag when using the API.

This ticket should be closed.

-- 
Viktor.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

6 matches

Site Navigation

Mail list logo

Footer information