Re: [openssl-users] Certificate chain validation
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html The linked documents didn’t say the APIs must be called on *client* side, and it works fine in my code on both client and server side. I am under the impression that there is no asymmetry in terms of *sending* side chain building for client and server side, what you said below means client side always sends *partial* chain to server side? Thanks. From: Salz, Rich via openssl-users<mailto:openssl-users@openssl.org> Sent: Friday, April 21, 2017 3:37 PM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: Re: [openssl-users] Certificate chain validation You are asking two different questions. The certificates that the *client* sends are specified by the various “use certficiate” API’s. No chain is built. See doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain file” API. As for what the *server* does, it tries to use what the client sends and build a chain up to one of the certificates that is in the local, server, trust store. The API’s are a bit different for 1.0.2 than for 1.1.0 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate chain validation
Right on! I think it is indeed an issue of partial chain on the loading side. As a related question, on the loading side, do I need to provide the whole chain to SSL_CTX_use_certificate? If intermediate CA certificate is installed into default locations like /ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, will openssl search the default locations to build a complete chain before sending it to the remote side? Thanks. From: Jakob Bohm<mailto:jb-open...@wisemo.com> Sent: Friday, April 21, 2017 5:10 AM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: Re: [openssl-users] Certificate chain validation On 21/04/2017 03:37, Lei Kong wrote: > > When validating a certificate issued by an intermediate certificate > authority, I noticed that I need to install both the root and the > intermediate CA certificate locally (with update-ca-certificates on > ubuntu 16.04). Verification fails if only root CA cert is installed > (intermediate is not installed), is this expected behavior? Why do I > need to install intermediate CA cert locally? Locally installed root > CA cert is not enough to validate intermediate CA cert? > This is only necessary if the other end of the connection (incorrectly) forgets to include the intermediate in the certificate bundle sent with the data or protocol exchange. > Is it possible to make chain validation work with only root CA cert > installed locally? > Yes, if the other end is not misconfigured and you pass the received certificate bundle to the appropriate validation related function as a list of untrusted additional certificates, which the certificate verification code can search for needed intermediate certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate chain validation
You are asking two different questions. The certificates that the *client* sends are specified by the various “use certficiate” API’s. No chain is built. See doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain file” API. As for what the *server* does, it tries to use what the client sends and build a chain up to one of the certificates that is in the local, server, trust store. The API’s are a bit different for 1.0.2 than for 1.1.0 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate chain validation
According to https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html, openssl will search the default locations for chain building: “If no chain is specified, the library will try to complete the chain from the available CA certificates in the trusted CA storage, see SSL_CTX_load_verify_locations<https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_load_verify_locations.html>.” From: Lei Kong<mailto:leik...@msn.com> Sent: Friday, April 21, 2017 2:10 PM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: RE: [openssl-users] Certificate chain validation Right on! I think it is indeed an issue of partial chain on the loading side. As a related question, on the loading side, do I need to provide the whole chain to SSL_CTX_use_certificate? If intermediate CA certificate is installed into default locations like /ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, will openssl search the default locations to build a complete chain before sending it to the remote side? Thanks. From: Jakob Bohm<mailto:jb-open...@wisemo.com> Sent: Friday, April 21, 2017 5:10 AM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: Re: [openssl-users] Certificate chain validation On 21/04/2017 03:37, Lei Kong wrote: > > When validating a certificate issued by an intermediate certificate > authority, I noticed that I need to install both the root and the > intermediate CA certificate locally (with update-ca-certificates on > ubuntu 16.04). Verification fails if only root CA cert is installed > (intermediate is not installed), is this expected behavior? Why do I > need to install intermediate CA cert locally? Locally installed root > CA cert is not enough to validate intermediate CA cert? > This is only necessary if the other end of the connection (incorrectly) forgets to include the intermediate in the certificate bundle sent with the data or protocol exchange. > Is it possible to make chain validation work with only root CA cert > installed locally? > Yes, if the other end is not misconfigured and you pass the received certificate bundle to the appropriate validation related function as a list of untrusted additional certificates, which the certificate verification code can search for needed intermediate certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate chain validation
No, you must have a chain up to a local trust anchor. You can install the intermediate in your trust store. -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz From: Lei Kong [mailto:leik...@msn.com] Sent: Thursday, April 20, 2017 9:38 PM To: openssl-users@openssl.org Subject: [openssl-users] Certificate chain validation When validating a certificate issued by an intermediate certificate authority, I noticed that I need to install both the root and the intermediate CA certificate locally (with update-ca-certificates on ubuntu 16.04). Verification fails if only root CA cert is installed (intermediate is not installed), is this expected behavior? Why do I need to install intermediate CA cert locally? Locally installed root CA cert is not enough to validate intermediate CA cert? Is it possible to make chain validation work with only root CA cert installed locally? Thanks. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate chain validation
On 21/04/2017 03:37, Lei Kong wrote: When validating a certificate issued by an intermediate certificate authority, I noticed that I need to install both the root and the intermediate CA certificate locally (with update-ca-certificates on ubuntu 16.04). Verification fails if only root CA cert is installed (intermediate is not installed), is this expected behavior? Why do I need to install intermediate CA cert locally? Locally installed root CA cert is not enough to validate intermediate CA cert? This is only necessary if the other end of the connection (incorrectly) forgets to include the intermediate in the certificate bundle sent with the data or protocol exchange. Is it possible to make chain validation work with only root CA cert installed locally? Yes, if the other end is not misconfigured and you pass the received certificate bundle to the appropriate validation related function as a list of untrusted additional certificates, which the certificate verification code can search for needed intermediate certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users