Re: [openssl-users] How to construct certificate chain
I am using 1.0.2 stable release and add below code but it still get Equifax but browser get GeoTrust Global CA X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST); SSL_CTX_set1_param(ctx, param); X509_VERIFY_PARAM_free(param); On Mon, Nov 17, 2014 at 3:43 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Mon, Nov 17, 2014 at 03:13:22PM +0800, Jerry OELoo wrote: When I construct google's (www.google.com) certificate chain, it is different with browser's [openssl API] www.google.com - Google Internet Authority G2 - GeoTrust Global CA - Equifax Secure Certificate Authority This is what Google sends on the wire. [IE/Chrome] www.google.com - Google Internet Authority G2 - GeoTrust Global CA The browsers short-cicuit the chain, by finding an alternative trusted issuer for G2 It seems openssl use one certificate path with bridge cert but browsers use another certificate path, and in answer, it said OpenSSL, which curl uses, is not, or at least not yet; thus you must tell curl to give OpenSSL the Equifax root. (The OpenSSL 1.0.2 release, currently in beta, is announced to have enhancements in the area of cert chain validation, which I haven't looked at in detail yet., Commit 9d2006d8 (1.0.2 branch) implements a new X509_V_FLAG_TRUSTED_FIRST flag which should give similar (to the browsers) results if set in the X509_STORE_CTX used to validate the chain via: X509_VERIFY_PARAM_set_flags() and SSL_CTX_set1_param() see apps/apps.c and apps/s_client.c So is there any way that openssl 1.0.1j can solve this and construct same certificate path with browsers did? No, but it is far from clear why this is a problem. Google sends a chain signed by Equifax. So OpenSSL builds a chain with that. When Google stops sending the Equifax cert, OpenSSL will use the GeoTrust root CA if that's configured. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to construct certificate chain when missing intermediate CA
On 09/01/2015 03:45, Jerry OELoo wrote: Hi All: I am using X509_STORE_CTX_get1_chain() to get web site's full certificate chain. Now I am encounter an issue that some web site does not return intermediate CA certificate but only web site leaf certificate. For example. https://globaltrade.usbank.com Below is certificate I get. Subject: /C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 As my environment missing VeriSign Class 3 Secure Server CA - G3 certificate. When open web site in Browsers (Chrome on windows), I can see certificate chain is built successfully, I think this is because browser should recognize VeriSign Class 3 Secure Server CA - G3 this intermediate CA, and automatically installed crt into system. So my question is how can I achieve same as browsers with openssl, with openssl I can get error info. But where can I use program to download VeriSign G3 certificate and installed automatically, then I can build full certificate chain. Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[20] Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[27] Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[21] The trick is that many (not all) certificates now include an AuthorityInformation Access (AIA) extension which (optionally) gives a download URL for the next certificate in the chain in case the browser does not have a local copy. This is the same extension which also (in another optional field) provides the URL of an OCSP revocation checking server. So in some clients (at least Internet Explorer 9+), the procedure for each certificate is: 1. Using the full Issuer DN (which is a complex ASN.1 structure), put them in the same form (already done because that part of the certificate has to be in the strict DER format), then do a binary compare for identity against the full Subject DN in all the certificates received from the other end. 2. If this fails, do the same against all the certificates in your local catalog of trusted root CAs. 3. If this fails, do the same against all the certificates in your local catalog of known Intermediary CAs. 4. If this fails, do the same against all the certificates in your local cache of previously downloaded certificates. 5. If this fails, look for an AIA extension in the cert and check if that extension includes a certificate download URL, then download from that URL to an in memory variable. If the validation ultimately succeeds, save that downloaded certificate from memory to your local cache. OpenSSL 1.0.1 and older include functions to do steps 1 (if the other end sent the certificates in the order needed) and 2. That code may be coerced into doing steps 3 and 4 by putting the intermediary certificates into the root store and checking if a certificate is self-signed to decide if it is trusted or just a potentially unverified intermediary. OpenSSL 1.0.2 beta apparently includes better code for most of these steps than 1.0.1. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to construct certificate chain when missing intermediate CA
Hi All: I am using X509_STORE_CTX_get1_chain() to get web site's full certificate chain. Now I am encounter an issue that some web site does not return intermediate CA certificate but only web site leaf certificate. For example. https://globaltrade.usbank.com Below is certificate I get. Subject: /C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 As my environment missing VeriSign Class 3 Secure Server CA - G3 certificate. When open web site in Browsers (Chrome on windows), I can see certificate chain is built successfully, I think this is because browser should recognize VeriSign Class 3 Secure Server CA - G3 this intermediate CA, and automatically installed crt into system. So my question is how can I achieve same as browsers with openssl, with openssl I can get error info. But where can I use program to download VeriSign G3 certificate and installed automatically, then I can build full certificate chain. Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[20] Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[27] Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[21] -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
