On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote:
> On 26/03/2014 11:11, Emilia Kasper wrote: > > Hi mod_ssl devs, > > > > I have a small patch for mod_ssl that uses new OpenSSL (>=1.0.2) methods > when > > available to automatically rebuild misconfigured certificate chains. > > > > Github pull request: https://github.com/apache/httpd/pull/7 > > > > Some of the common server chain misconfigurations are a) including the > > self-signed root certificate in the chain and b) missing an intermediate > > certificate in the chain. a) is bad because it bloats the handshake and > b) is > > bad because the client can't always validate the chain. > > > > The patch fixes a) by sanity-checking the chain and chopping self-signed > roots. > > I believe it's harmless to turn on by default as the rebuild step will > either > > yield a valid chain or preserve the original configuration. > > > > I've no good idea how to reliably detect and fix missing intermediates > but would > > be happy to try out any good suggestions. > > > > I think this is a good idea in principle. A major motivation for adding > SSL_CTX_build_cert_chain to OpenSSL was to correct common chain > configuration > errors automatically (certificates in wrong order or additional bogus ones > added) and to detect some other cases (chain not complete). Badly > configured > server chains have been a headache for clients for quite a while. > > A secondary motivation was to improve efficiency by avoiding the "on the > fly" > certificate chain building on each handshake and just build the chain once. > > There are some side effects with doing this though. > > If the server is correctly configured to exclude the root then the chain > build > will fail. The root is needed during path verification to see that the > chain is > complete. > Hmmm - it wasn't obvious from the doc that SSL_BUILD_CHAIN_FLAG_CHECK would fail this way but now that I think about it, I see you're right. This seems to be a limitation of X509_verify_cert and I'm not sure what to do about it. Would SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR be too dangerous to set? We'd still be building a best-effort correct issuer chain, just no longer fully validating it. So I don't think it could mess up any good configurations (famous last words?) > Some old "on the fly" configurations that place intermediate CAs in the > trusted > store are also likely to fail. > I don't think the trusted store affects SSL_BUILD_CHAIN_FLAG_CHECK mode at all. > > Possible workaround is a way to turn off the checking an > "IReallyKnowWhatImDoing" kind of thing which is disabled by default. Or > just > require affected users to reconfigure their servers. > Requiring servers to provide the root they believe they're chaining to would also help warn about missing intermediates, so that's a good thing. On the other hand, the "couldn't find a trusted root" error message would be annoying to servers who've had it right all along and that's a bad thing. Not sure which outweighs the other... > > As for the patch itself. There could be a cleaner way to achieve the same > thing. > We're already optionally iterating through all certificates for OCSP > staping > using the 1.0.2 APIs so perhaps that can be adapted to perform a chain > build > sanity check at the same time. > I'm not sure what you mean here - I've already added the chain build call to exactly the iteration you mention. Emilia > > Steve. > -- > Dr Stephen Henson. OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > +1 877-673-6775 > shen...@opensslfoundation.com >
