> From: owner-openssl-us...@openssl.org On Behalf Of Brian Reichert
> Sent: Monday, 11 April, 2011 18:12
> On Mon, Apr 11, 2011 at 05:53:45PM -0400, Dave Thompson wrote:
<snip other points>
> > But your likely problem is this cert uses an intermediate cert
> > /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA .
> > If that intermediate cert is not in your (packaged) truststore,
> > s_client can verify because google sent it, but verify can't
> > because verify gets only the entity cert you give it
> > unless you also specify -untrusted.
>
> I have to admit; I completely failed to understand the role of
> 'untrusted' certificates in this context.
>
> I think I still want a high-level treatment of how 'openssl verify' is
> different than the verification that 'openssl s_client' undergoes.
>
> Is there some write-up of that on-line anywhere?
>
On Linux you should have man pages including verify(ssl1), which
describes chain verification (although it doesn't cover revocation
checks, which can now be included) which is the same for both
SSL ('s_client' etc.) and 'verify', and some other things too.
If you really want online, try the usual suspects.
The difference is that 's_client' has available the cert(s) sent
by the server, which can choose to send just the entity cert,
the full chain, or anywhere in between. www.google.com:443
in particular sends the entity cert and the one intermediate
cert (Thawte SGC) which together with a Verisign root (obviously
in your truststore, see below) makes a complete chain.
'verify' only has available the entity cert in the file you give
as an argument (or stdin), and optionally any cert(s) you give it
in -untrusted, as well as the truststore. Thus my suggestion next:
> > Do s_client with -showcerts and you'll see you get both
> > the entity cert for google and this intermediate cert.
> > Either: put the intermediate cert in a file and give it
> > to -untrusted; or put it in the truststore you use.
>
> How is 'the truststore I use' different than the /etc/pki/tls/cert.pem
> file dropped in by RedHat/CentOS?
>
For OpenSSL utilities the truststore is -CAfile and/or -CApath;
other apps are different. I didn't think you were modifying that
package -- people typically don't -- so 'the truststore you use'
allows for creating a different file/dir. If you want to modify
the /etc/pki one that works as far as OpenSSL is concerned, but
I don't know if it causes trouble with your package manager.
In theory whether you call Thawte SGC 'trusted' or 'untrusted'
could reflect an actual policy analysis. In practice you are
trusting it based solely on being issued by Verisign, so it's
semantically right to supply it as -untrusted. On the other hand,
it's often simpler to just have one file or directory of 'certs
I trust' and you do trust this one. So, either is reasonable.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
