Re: Server Certificate Verification

Lutz Jaenicke Wed, 04 Apr 2001 11:08:06 -0700
On Wed, Apr 04, 2001 at 02:37:23PM +0100, Graeme English wrote:
> I mentioned this since previously I had not defined SSLCertificateChainFile in my 
>httpd.conf (apache , mod_perl) and when I did the following (excuse the hack!)
>                 STACK_OF(X509) *cert_chain = (struct stack_st 
>*)SSL_get_peer_cert_chain(_ssl);
>                 while ((server_cert = (struct x509_st *)sk_pop(cert_chain)) != NULL) 
>{
>                     X509_print(cout, server_cert);
>                     PEM_write_bio_X509(cout, server_cert);
>                     X509_free(server_cert);
>                 }
> I only got the server certificate back. On defining SSLCertificateChainFile (and 
>putting the CA cert in it) I got both certificates back ! I also tried pointing my 
>browser at https://amazon.co.uk and similarly only got the server certificate !

It is valid to omit the root CA certificate. If you chain only contains the
server cert and the CA cert, only the server cert needs to be sent. Therefore
the result you have seen is valid (even though I would find it more
practical to always have the complete chain sent).
An OpenSSL based server without SSLCertificateChainFile set, will still
try to complete its chain from the trusted CA store. So if you have the
certificate of your CA in SSLCACertificatePath or SSLCACertificateFile
(mod_ssl syntax), you will still see the complete chain.

> >When realizing this functionality, please check out the old bugtraq
> messages. There were quite some subtle things with certificates being
> accepted for a wrong server name by the user once but then the non-matching
> certificate suddenly became valid for all server names (if memory serves
> me right)... It is not necessary to fall into the same pitfalls again :-)
> 
> 
> I've just spent a couple of hours trawling through the mailing list archives without 
>much luck. Was this what you meant by 'bugtaq'. If so, can you offer any other hints 
>;-) or let me know how to get the 'bugtraq' messages ?

http://marc.theaimsgroup.com/?l=bugtraq&r=1&w=2

A search for "netscape certificate" gave

http://marc.theaimsgroup.com/?l=bugtraq&m=95797566730807&w=2

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: Server Certificate Verification

Reply via email to
