Re: [openssl-users] Certificate chain validation

2017-04-21 Thread Lei Kong 
Right on!
I think it is indeed an issue of partial chain on the loading side.

As a related question, on the loading side, do I need to provide the whole 
chain to SSL_CTX_use_certificate?
If intermediate CA certificate is installed into default locations like 
/ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, 
will openssl search the default locations to build a complete chain before 
sending it to the remote side?

Thanks.

From: Jakob Bohm
Sent: Friday, April 21, 2017 5:10 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate chain validation

On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate chain validation

2017-04-21 Thread Salz, Rich via openssl-users 
You are asking two different questions.

The certificates that the *client* sends are specified by the various “use 
certficiate” API’s.  No chain is built.  See 
doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain 
file” API.

As for what the *server* does, it tries to use what the client sends and build 
a chain up to one of the certificates that is in the local, server, trust store.

The API’s are a bit different for 1.0.2 than for 1.1.0
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I connect to this server

2017-04-21 Thread Salz, Rich via openssl-users 
> https://username:passw...@server.com
> How do I specify this username and password when using SSL_connect()?

You don't.  That stuff is at the protocol level about TLS/SSL.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate chain validation

2017-04-21 Thread Lei Kong 
According to 
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html, 
openssl will search the default locations for chain building:


“If no chain is specified, the library will try to complete the chain from the 
available CA certificates in the trusted CA storage, see 
SSL_CTX_load_verify_locations.”


From: Lei Kong
Sent: Friday, April 21, 2017 2:10 PM
To: openssl-users@openssl.org
Subject: RE: [openssl-users] Certificate chain validation

Right on!
I think it is indeed an issue of partial chain on the loading side.

As a related question, on the loading side, do I need to provide the whole 
chain to SSL_CTX_use_certificate?
If intermediate CA certificate is installed into default locations like 
/ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, 
will openssl search the default locations to build a complete chain before 
sending it to the remote side?

Thanks.

From: Jakob Bohm
Sent: Friday, April 21, 2017 5:10 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate chain validation

On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [EXTERNAL] How do I connect to this server

2017-04-21 Thread Sands, Daniel 
On Fri, 2017-04-21 at 16:09 -0400, Jeff Archer wrote:
> I have a server that requires that username and password be used as
> https://username:passw...@server.com
> 
> 
> How do I specify this username and password when using SSL_connect()?

You don't.  The username and password are encoded into the request
header just like with HTTP, after the connection and handshake are done.
That's separate from the TLS transport.

You might consider a library like CURL, which handles both the TLS and
the HTTP, if you want to save on devel time.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How do I connect to this server

2017-04-21 Thread Jeff Archer 
I have a server that requires that username and password be used as
https://username:passw...@server.com

How do I specify this username and password when using SSL_connect()?

Thanks,
Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate chain validation

2017-04-21 Thread Salz, Rich via openssl-users 
No, you must have a chain up to a local trust anchor.

You can install the intermediate in your trust store.

--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz

From: Lei Kong [mailto:leik...@msn.com]
Sent: Thursday, April 20, 2017 9:38 PM
To: openssl-users@openssl.org
Subject: [openssl-users] Certificate chain validation

When validating a certificate issued by an intermediate certificate authority, 
I noticed that I need to install both the root and the intermediate CA 
certificate locally (with update-ca-certificates on ubuntu 16.04). Verification 
fails if only root CA cert is installed (intermediate is not installed), is 
this expected behavior? Why do I need to install intermediate CA cert locally? 
Locally installed root CA cert is not enough to validate intermediate CA cert?

Is it possible to make chain validation work with only root CA cert installed 
locally?

Thanks.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate chain validation

2017-04-21 Thread Jakob Bohm 

On 21/04/2017 03:37, Lei Kong wrote:


When validating a certificate issued by an intermediate certificate 
authority, I noticed that I need to install both the root and the 
intermediate CA certificate locally (with update-ca-certificates on 
ubuntu 16.04). Verification fails if only root CA cert is installed 
(intermediate is not installed), is this expected behavior? Why do I 
need to install intermediate CA cert locally? Locally installed root 
CA cert is not enough to validate intermediate CA cert?



This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

Is it possible to make chain validation work with only root CA cert 
installed locally?



Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Certificate chain validation

2017-04-21 Thread Lei Kong 
When validating a certificate issued by an intermediate certificate authority, 
I noticed that I need to install both the root and the intermediate CA 
certificate locally (with update-ca-certificates on ubuntu 16.04). Verification 
fails if only root CA cert is installed (intermediate is not installed), is 
this expected behavior? Why do I need to install intermediate CA cert locally? 
Locally installed root CA cert is not enough to validate intermediate CA cert?

Is it possible to make chain validation work with only root CA cert installed 
locally?

Thanks.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Automatic download of CRL

2017-04-21 Thread Lei Kong 
I am using 1.0.2g. CRL checking works fine on my certificate when I download 
and save CRL in PEM format locally.

I noticed that “openssl verify” has this option:
-crl_download
   Attempt to download CRL information for this certificate.

But it does not work for me. The CRL URL embedded in my certificate points to 
CRL file of DER format, maybe this is the reason “download” didn’t work?

If I want to enable “automatic download” in C code, do I have to provide a 
callback to X509_STORE_set_lookup_crls_cb or there is a simpler way (e.g. a 
flag)?
If I must provide such a callback, do I need to handle DER vs PEM encoding in 
the callback?

Thanks much.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_shutdown return error when close in init

2017-04-21 Thread Jakob Bohm 

On 21/04/2017 01:35, Linsell, StevenX wrote:

On 20/04/2017, Bohn, Jakob  wrote:

Let me clarify: The idea was not to change the synchronization structure,
but to set a flag or otherwise (asynchronously or in a small critical
section) change the state such that when the communication async
operations resume, they will proceed directly to a failure state
skipping as much of the processing and transmission as possible.
For example if it was waiting for a "hello" from the other end,
when that "hello" arrives, it would not process the bytes in that
hello, but respond as if it received a bad hello (with
"aborted/closed" rather than "invalid hello" as the error/alert
code).  It would not proceed to e.g. validate incoming public keys,
send public keys, generate nonces, derive keys etc.

So am I correct in thinking you are asking for an 'abort' mechanism for
the async job? Effectively you would set a flag on the async job,
then call the SSL_do_handshake again, and when it switched back into
the async job (fibre) it would detect it was being aborted and return
up the stack with a failure. You do still need to call the SSL_do_handshake
that one time so that the fibre can run to completion and everything
gets tidied up correctly though.
Even simpler: Just abort at the protocol level (not deep inside crypto) 
when
the next protocol level processing is about to be done anyway, making 
most of

the logic a simple reuse of what would happen if the other end sent a
malformed or otherwise unacceptable handshake record.

So if crypto is busy calculating DH shared secrets and deriving keys, it 
would
just continue doing so (asynchronously), then when the result is about 
to be

used at the protocol level, the protocol sees and executes the abort flag.

Similarly if the protocol is waiting for a handshake record from the 
other end,
it would continue that wait, then abort just before processing either a 
received

handshake or a protocol error (such as lost connection).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users