Re: [openssl-users] Certificate chain validation

2017-04-23 Thread Lei Kong 
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html

The linked documents didn’t say the APIs must be called on *client* side, and 
it works fine in my code on both client and server side.
I am under the impression that there is no asymmetry in terms of *sending* side 
chain building for client and server side, what you said below means client 
side always sends *partial* chain to server side?

Thanks.

From: Salz, Rich via openssl-users
Sent: Friday, April 21, 2017 3:37 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate chain validation

You are asking two different questions.

The certificates that the *client* sends are specified by the various “use 
certficiate” API’s.  No chain is built.  See 
doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain 
file” API.

As for what the *server* does, it tries to use what the client sends and build 
a chain up to one of the certificates that is in the local, server, trust store.

The API’s are a bit different for 1.0.2 than for 1.1.0

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate chain validation

2017-04-21 Thread Lei Kong 
Right on!
I think it is indeed an issue of partial chain on the loading side.

As a related question, on the loading side, do I need to provide the whole 
chain to SSL_CTX_use_certificate?
If intermediate CA certificate is installed into default locations like 
/ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, 
will openssl search the default locations to build a complete chain before 
sending it to the remote side?

Thanks.

From: Jakob Bohm<mailto:jb-open...@wisemo.com>
Sent: Friday, April 21, 2017 5:10 AM
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: Re: [openssl-users] Certificate chain validation

On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate chain validation

2017-04-21 Thread Lei Kong 
According to 
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html, 
openssl will search the default locations for chain building:


“If no chain is specified, the library will try to complete the chain from the 
available CA certificates in the trusted CA storage, see 
SSL_CTX_load_verify_locations<https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_load_verify_locations.html>.”


From: Lei Kong<mailto:leik...@msn.com>
Sent: Friday, April 21, 2017 2:10 PM
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: RE: [openssl-users] Certificate chain validation

Right on!
I think it is indeed an issue of partial chain on the loading side.

As a related question, on the loading side, do I need to provide the whole 
chain to SSL_CTX_use_certificate?
If intermediate CA certificate is installed into default locations like 
/ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, 
will openssl search the default locations to build a complete chain before 
sending it to the remote side?

Thanks.

From: Jakob Bohm<mailto:jb-open...@wisemo.com>
Sent: Friday, April 21, 2017 5:10 AM
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: Re: [openssl-users] Certificate chain validation

On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Certificate chain validation

2017-04-21 Thread Lei Kong 
When validating a certificate issued by an intermediate certificate authority, 
I noticed that I need to install both the root and the intermediate CA 
certificate locally (with update-ca-certificates on ubuntu 16.04). Verification 
fails if only root CA cert is installed (intermediate is not installed), is 
this expected behavior? Why do I need to install intermediate CA cert locally? 
Locally installed root CA cert is not enough to validate intermediate CA cert?

Is it possible to make chain validation work with only root CA cert installed 
locally?

Thanks.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Automatic download of CRL

2017-04-21 Thread Lei Kong 
I am using 1.0.2g. CRL checking works fine on my certificate when I download 
and save CRL in PEM format locally.

I noticed that “openssl verify” has this option:
-crl_download
   Attempt to download CRL information for this certificate.

But it does not work for me. The CRL URL embedded in my certificate points to 
CRL file of DER format, maybe this is the reason “download” didn’t work?

If I want to enable “automatic download” in C code, do I have to provide a 
callback to X509_STORE_set_lookup_crls_cb or there is a simpler way (e.g. a 
flag)?
If I must provide such a callback, do I need to handle DER vs PEM encoding in 
the callback?

Thanks much.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] TLSv1_2_method

2017-03-24 Thread Lei Kong 
Can processes running with TLSv1_2_method talk to processes running with 
something older, e.g. TLSv1_1_method? Along the same lines, will new TLS 
versions be backward compatible with TLSv1_2_method ?

I would like to make my code proof, is there something like TLS_latest_method()?

I have a cluster of nodes that talk to each other with TLS, currently the 
version is hardcoded to TLSv1_2_method. Suppose TLSv1_2 is deprecated by 
TLS_new one day, I update my service to use TLS_new node by node, during this 
time, some old nodes are running with TLSv1_2, some new nodes are running with 
new TLS_new, will the communication between old and new nodes work?

Thanks.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_set_verify with a context?

2016-10-27 Thread Lei Kong 
I am using the following link ssl to my container structure, so is it possible 
to  get ssl from x509_ctx in verify_callback?
SSL_set_app_data(ssl, this);

int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);



From: Lei Kong <leik...@msn.com>
Sent: Thursday, October 27, 2016 1:24:05 AM
To: openssl-users@openssl.org
Subject: SSL_set_verify with a context?


What I am trying to achieve is to allow some minor certificate chain validation 
errors, e.g. "CRL unavailable", based on my per-session configuration. I am 
think of using my verify callback to record the errors.

void SSL_set_verify(SSL *s, int mode, int (*verify_callback)(int, 
X509_STORE_CTX *));

int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);


Given the above interfaces, it seems I cannot set the callback with a context, 
which is needed to link a callback instance to my SSL session for error 
tracking. Yes, I can use SSL_get_verify_result to get the error afterwards, but 
is it guaranteed that the most severe error is always returned by 
SSL_get_verify_result? For example, I don't want "unable to get CRL" to mask 
other more important errors.


I would rather avoid repeating validating the whole chain manually after 
default validation is completed, is it possible to achieve my goal without 
repeating chain validation manually?


Any comment will be appreciated.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL_set_verify with a context?

2016-10-27 Thread Lei Kong 
What I am trying to achieve is to allow some minor certificate chain validation 
errors, e.g. "CRL unavailable", based on my per-session configuration. I am 
think of using my verify callback to record the errors.

void SSL_set_verify(SSL *s, int mode, int (*verify_callback)(int, 
X509_STORE_CTX *));

int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);


Given the above interfaces, it seems I cannot set the callback with a context, 
which is needed to link a callback instance to my SSL session for error 
tracking. Yes, I can use SSL_get_verify_result to get the error afterwards, but 
is it guaranteed that the most severe error is always returned by 
SSL_get_verify_result? For example, I don't want "unable to get CRL" to mask 
other more important errors.


I would rather avoid repeating validating the whole chain manually after 
default validation is completed, is it possible to achieve my goal without 
repeating chain validation manually?


Any comment will be appreciated.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL in Linux kernel

2016-04-21 Thread Lei Kong 
Can SSL library be used in Linux kernel mode?
Thanks.

  -- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users