Thanks for the quick response, Steve.
On 08/03/13 11:27, Dr. Stephen Henson wrote:
On Fri, Aug 02, 2013, Misaki.Miyashita wrote:
> Hello,
>
> We have a server where its ServerCert is signed by an
> intermediateCA, which is signed by a RootCA.
> Currently, OpenSSL seems to require RootCA cert to be installed (in
> the certs dir) in order to connect to the server.
> We would like a feature where the leaf certificate (ServerCert) can
> be trusted if that particular cert is in the certs dir.
>
> Jordan Brown was in contact with Steve H. to find out that there is
> an experimental X509_V_FLAG_PARTIAL_CHAIN flag support in 1.0.2.
> We tried our experiment with 1.0.2 and X509_V_FLAG_PARTIAL_CHAIN.
> That helped some but does not seem to have addressed the need.
>
> I need some help understanding what's going on to resolve this issue.
> Here is my findings:
>
> Test 1: openssl verify -partial_chain ServerCert.pem
>
> - This is successful if the intermediate cert is installed: This
> is good.
> - Without "-partial_chain", 'openssl verify' fails even if the
> intermediate cert is installed.
> - openssl stat()s for intermediate cert (success) and RootCA
> cert (fail)
> - check_trust() returns TRUSTED as last_untrusted(=1) is less than
> sk_X509_num(=2)
>
> - This fails if only the ServerCert is installed.
> - OpenSSL stats for the intermediateCA (fail) only.
> - check_trust() returns UNTRUSTED as last_untrusted(=1) is not less
> than sk_X509_num(=1)
> - We would like this case to be successful.
>
> Test2: openssl s_client -connect lc-sfbay-02:636 -partial_chain
> -CApath /etc/openssl/certs
>
> - This is successful if RootCA certificate is installed
> - openssl stat()s for RootCA cert (success)
>
> - This fails if RootCA is not installed even if ServerCert and/or
> intermediateCA is installed
> - openssl stat()s for RootCA cert (fail) only
> - check_trust() returns UNTRUSTED as last_untrusted(=2) is not less
> than sk_X509_num(=2)
> - We would like this case to succeed.
>
> Can I get some help figuring out what needs to be changed so that
> the leaf certificate (ServerCert) can be trusted?
>
This works fine for me and the test certificate apps/server.pem . I'm not sure
what the problem is unless you didn't call c_rehash or equivalent after you
intalled the server certificate. Try using the -CAfile option too.
I have <digest>.0 file linking to the .pem file in the certs dir.
(Note: VS.pem is the root CA cert, oracle.pem is the intermediate CA
cert, lc-sfbay-02.pem is the ServerCert)
/etc/openssl/certs# ls -l
total 103
drwxr-xr-x 2 root root 5 Jul 31 10:57 OLD
-rw-r--r-- 1 root root 1484 Jul 31 08:19 VS.pem
lrwxrwxrwx 1 root root 15 Jul 31 11:14 f3c9bec7.0 ->
lc-sfbay-02.pem
-rw-r--r-- 1 root root 0 Aug 1 10:38 last_untrusted++
-rw-r--r-- 1 root root 1996 Jul 31 08:19 lc-sfbay-01.pem
-rw-r--r-- 1 root root 1996 Jul 31 08:19 lc-sfbay-02.pem
-rw-r--r-- 1 root root 2134 Jul 31 08:19 oracle.pem
The following commands all fails with "lookup:unable to get local issuer
certificate"
% openssl verify -partial_chain -CApath /etc/openssl/certs
lc-sfbay-02.pem
% openssl verify -partial_chain -CAfile lc-sfbay-02.pem -CApath
/etc/openssl/certs lc-sfbay-02.pem
% openssl verify -partial_chain -CAfile f3c9bec7.0 -CApath
/etc/openssl/certs lc-sfbay-02.pem
When I trace each command, check_trust() return 3 (X509_TRUST_UNTRUSTED)
because ctx->last_untrusted(=1) is not less than sk_X509_num(=1).
Do you have any idea why the same test fails for us?
Thank you
-- misaki
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
