On Mon, Nov 17, 2014 at 03:13:22PM +0800, Jerry OELoo wrote:
> When I construct google's (www.google.com) certificate chain, it is
> different with browser's
>
> [openssl API]
> www.google.com -> Google Internet Authority G2 -> GeoTrust Global CA
> -> Equifax Secure Certificate Authority
This is what Google sends on the wire.
> [IE/Chrome]
> www.google.com -> Google Internet Authority G2 -> GeoTrust Global CA
The browsers short-cicuit the chain, by finding an alternative trusted
issuer for "G2"
> It seems openssl use one certificate path with "bridge cert" but
> browsers use another certificate path, and in answer, it said
> "OpenSSL, which curl uses, is not, or at least not yet; thus you must
> tell curl to give OpenSSL the Equifax root. (The OpenSSL 1.0.2
> release, currently in beta, is announced to have enhancements in the
> area of cert chain validation, which I haven't looked at in detail
> yet.",
Commit 9d2006d8 (1.0.2 branch) implements a new X509_V_FLAG_TRUSTED_FIRST
flag which should give similar (to the browsers) results if set in
the X509_STORE_CTX used to validate the chain via:
X509_VERIFY_PARAM_set_flags()
and
SSL_CTX_set1_param()
see apps/apps.c and apps/s_client.c
> So is there any way that openssl 1.0.1j can solve this and construct
> same certificate path with browsers did?
No, but it is far from clear why "this" is a problem. Google sends
a chain signed by Equifax. So OpenSSL builds a chain with that.
When Google stops sending the Equifax cert, OpenSSL will use the
GeoTrust root CA if that's configured.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
