I just read a little bit about X.509 extensions. And it's getting more clear to me. Just one additional question: Are Name Constraints, as desribed in RFC5280 implemented and used. And if so, how can I display them via openssl x509 tool?
On Sat, Feb 9, 2013 at 9:51 PM, <kap...@mizera.cz> wrote: > I thing yours Q is about responsibility. > If CA issues for "Some Private Org" such type of certificate, which allows > (key usage) to sign other certificates, then is this CA responsible for it. > > > > And the other thing: if POP3S library don't check CN (what IMHO should), > then set as trusted only the (on end) correct pop3.live.com certificate and > you do not need to take care about intermediate issuer. > > DNSsec as mandatory could help too. And use "chattr +i" on > /etc/hosts; host.conf; resolv.conf > > --kapetr > > Dne 9.2.2013 17:47, Angelin Lalev napsal(a): >> >> I'm not a professional C programmer, but I occasionaly use C to create >> administrative "scripts". I'm sorry >> if I'm asking for anything trivial and will be very thankful if You >> direct me to the relevant documentation. >> >> The question: >> I'm trying to obtain SSL certificate for POP3S server of live.com to >> use with POP3S library (libspopc). >> >> openssl s_client -connect pop3.live.com:995 -showcerts >> >> produces: >> >> CONNECTED(00000003) >> depth=2 CN = Microsoft Internet Authority >> verify error:num=20:unable to get local issuer certificate >> verify return:0 >> --- >> Certificate chain >> 0 s:/CN=pop3.live.com >> i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure >> Server Authority >> -----BEGIN CERTIFICATE----- >> ............................................................ >> -----END CERTIFICATE----- >> 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure >> Server Authority >> i:/CN=Microsoft Internet Authority >> -----BEGIN CERTIFICATE----- >> .......................................................... >> -----END CERTIFICATE----- >> 2 s:/CN=Microsoft Internet Authority >> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE >> CyberTrust Global Root >> -----BEGIN CERTIFICATE----- >> .............................................................. >> -----END CERTIFICATE----- >> >> So we have CybertTrust Global Root ------signs-----> Microsoft >> Internet Authority-----signs-----> Microsoft Secure Server Authority >> -------signs-----> pop3.live.com >> (valid until 2018) >> (valid until 2014) (valid >> until mid-2013) >> >> I had the smart idea of adding the CyberTrust Global Root to my >> embedded application and use it to validate the certificate chain. >> There is a problem though. If CyberTrust Global Root signs other >> certificates, this verification will result any certificate, signed by >> CyberTrust to be valid. >> How should I approach towards a solution of this problem. Look at CNs? >> What if something like this happens >> >> CyberTrust Global Root -------------------> Signs --------------> Some >> Private Org -----------Signs fake ------------> pop3.live.com >> >> For example my POP3S library doesn't seem to mind if the address i'm >> connecting is something different than pop3.live.com:995. I did a >> little manipulation of >> /etc/hosts and now I'm able to connect to the same server (same IP) >> under different domain name. >> Are there some standard library functions that automate this process. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org On Sat, Feb 9, 2013 at 9:51 PM, <kap...@mizera.cz> wrote: > I thing yours Q is about responsibility. > If CA issues for "Some Private Org" such type of certificate, which allows > (key usage) to sign other certificates, then is this CA responsible for it. > > > > And the other thing: if POP3S library don't check CN (what IMHO should), > then set as trusted only the (on end) correct pop3.live.com certificate and > you do not need to take care about intermediate issuer. > > DNSsec as mandatory could help too. And use "chattr +i" on > /etc/hosts; host.conf; resolv.conf > > --kapetr > > Dne 9.2.2013 17:47, Angelin Lalev napsal(a): >> >> I'm not a professional C programmer, but I occasionaly use C to create >> administrative "scripts". I'm sorry >> if I'm asking for anything trivial and will be very thankful if You >> direct me to the relevant documentation. >> >> The question: >> I'm trying to obtain SSL certificate for POP3S server of live.com to >> use with POP3S library (libspopc). >> >> openssl s_client -connect pop3.live.com:995 -showcerts >> >> produces: >> >> CONNECTED(00000003) >> depth=2 CN = Microsoft Internet Authority >> verify error:num=20:unable to get local issuer certificate >> verify return:0 >> --- >> Certificate chain >> 0 s:/CN=pop3.live.com >> i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure >> Server Authority >> -----BEGIN CERTIFICATE----- >> ............................................................ >> -----END CERTIFICATE----- >> 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure >> Server Authority >> i:/CN=Microsoft Internet Authority >> -----BEGIN CERTIFICATE----- >> .......................................................... >> -----END CERTIFICATE----- >> 2 s:/CN=Microsoft Internet Authority >> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE >> CyberTrust Global Root >> -----BEGIN CERTIFICATE----- >> .............................................................. >> -----END CERTIFICATE----- >> >> So we have CybertTrust Global Root ------signs-----> Microsoft >> Internet Authority-----signs-----> Microsoft Secure Server Authority >> -------signs-----> pop3.live.com >> (valid until 2018) >> (valid until 2014) (valid >> until mid-2013) >> >> I had the smart idea of adding the CyberTrust Global Root to my >> embedded application and use it to validate the certificate chain. >> There is a problem though. If CyberTrust Global Root signs other >> certificates, this verification will result any certificate, signed by >> CyberTrust to be valid. >> How should I approach towards a solution of this problem. Look at CNs? >> What if something like this happens >> >> CyberTrust Global Root -------------------> Signs --------------> Some >> Private Org -----------Signs fake ------------> pop3.live.com >> >> For example my POP3S library doesn't seem to mind if the address i'm >> connecting is something different than pop3.live.com:995. I did a >> little manipulation of >> /etc/hosts and now I'm able to connect to the same server (same IP) >> under different domain name. >> Are there some standard library functions that automate this process. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
