On Mon, Aug 05, 2013, Misaki.Miyashita wrote:
> Thanks for the quick response, Steve.
>
> On 08/03/13 11:27, Dr. Stephen Henson wrote:
> >On Fri, Aug 02, 2013, Misaki.Miyashita wrote:
> >
> >>> Hello,
> >>> > We have a server where its ServerCert is signed by an
> >>> intermediateCA, which is signed by a RootCA.
> >>> Currently, OpenSSL seems to require RootCA cert to be installed (in
> >>> the certs dir) in order to connect to the server.
> >>> We would like a feature where the leaf certificate (ServerCert) can
> >>> be trusted if that particular cert is in the certs dir.
> >>> > Jordan Brown was in contact with Steve H. to find out that
> >>there is
> >>> an experimental X509_V_FLAG_PARTIAL_CHAIN flag support in 1.0.2.
> >>> We tried our experiment with 1.0.2 and X509_V_FLAG_PARTIAL_CHAIN.
> >>> That helped some but does not seem to have addressed the need.
> >>> > I need some help understanding what's going on to resolve
> >>this issue.
> >>> Here is my findings:
> >>> > Test 1: openssl verify -partial_chain ServerCert.pem
> >>> > - This is successful if the intermediate cert is
> >>installed: This
> >>> is good.
> >>> - Without "-partial_chain", 'openssl verify' fails even if the
> >>> intermediate cert is installed.
> >>> - openssl stat()s for intermediate cert (success) and RootCA
> >>> cert (fail)
> >>> - check_trust() returns TRUSTED as last_untrusted(=1) is less than
> >>> sk_X509_num(=2)
> >>> > - This fails if only the ServerCert is installed.
> >>> - OpenSSL stats for the intermediateCA (fail) only.
> >>> - check_trust() returns UNTRUSTED as last_untrusted(=1) is not
> >>> less
> >>> than sk_X509_num(=1)
> >>> - We would like this case to be successful.
> >>> > Test2: openssl s_client -connect lc-sfbay-02:636
> >>-partial_chain
> >>> -CApath /etc/openssl/certs
> >>> > - This is successful if RootCA certificate is
> >>installed
> >>> - openssl stat()s for RootCA cert (success)
> >>> > - This fails if RootCA is not installed even if
> >>ServerCert and/or
> >>> intermediateCA is installed
> >>> - openssl stat()s for RootCA cert (fail) only
> >>> - check_trust() returns UNTRUSTED as last_untrusted(=2) is not
> >>> less
> >>> than sk_X509_num(=2)
> >>> - We would like this case to succeed.
> >>> > Can I get some help figuring out what needs to be changed
> >>so that
> >>> the leaf certificate (ServerCert) can be trusted?
> >>>
> >This works fine for me and the test certificate apps/server.pem . I'm not
> >sure
> >what the problem is unless you didn't call c_rehash or equivalent after you
> >intalled the server certificate. Try using the -CAfile option too.
>
> I have <digest>.0 file linking to the .pem file in the certs dir.
> (Note: VS.pem is the root CA cert, oracle.pem is the intermediate CA
> cert, lc-sfbay-02.pem is the ServerCert)
>
> /etc/openssl/certs# ls -l
> total 103
> drwxr-xr-x 2 root root 5 Jul 31 10:57 OLD
> -rw-r--r-- 1 root root 1484 Jul 31 08:19 VS.pem
> lrwxrwxrwx 1 root root 15 Jul 31 11:14 f3c9bec7.0 ->
> lc-sfbay-02.pem
> -rw-r--r-- 1 root root 0 Aug 1 10:38 last_untrusted++
> -rw-r--r-- 1 root root 1996 Jul 31 08:19 lc-sfbay-01.pem
> -rw-r--r-- 1 root root 1996 Jul 31 08:19 lc-sfbay-02.pem
> -rw-r--r-- 1 root root 2134 Jul 31 08:19 oracle.pem
>
>
> The following commands all fails with "lookup:unable to get local
> issuer certificate"
> % openssl verify -partial_chain -CApath /etc/openssl/certs
> lc-sfbay-02.pem
> % openssl verify -partial_chain -CAfile lc-sfbay-02.pem -CApath
> /etc/openssl/certs lc-sfbay-02.pem
> % openssl verify -partial_chain -CAfile f3c9bec7.0 -CApath
> /etc/openssl/certs lc-sfbay-02.pem
>
> When I trace each command, check_trust() return 3
> (X509_TRUST_UNTRUSTED) because ctx->last_untrusted(=1) is not less
> than sk_X509_num(=1).
>
> Do you have any idea why the same test fails for us?
>
Try commenting out the next line:
if (sk_X509_num(ctx->chain) == 1)
The following code block checks for an exact match of the EE certificate, but
it is currently only performed if there is only one certificate in the chain.
Commenting out that lnie means it tries to match unconditionally.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
