Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Yes I later tried to "verify" and I still got no complaints. Does OpenSSL trust chain validation include any checks on name constraints? If there is an additional step that i need to apply for this verification to happen then i don't know that and I'd appreciate if you detailing that please. thanks. This email contains Morega Systems Inc. Privileged and Confidential information. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
On Thu, Jun 03, 2010, Victor Duchovni wrote: > On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote: > > > Hodie III Non. Iun. MMX, Victor Duchovni scripsit: > > > On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: > > > > > > > > I would expect such constraints to only apply when > > > > > certificates are being *verified*. There seems to be > > > > > little point in preventing a CA from attempting to sign > > > > > violating certificates. > > > > > > > > Yes I later tried to "verify" and I still got no complaints. > > > > > > As I said, the "verify" command only checks the trust chain, peer name > > > verification, is not in scope. > > > > It could fail to validate the chain, given the fact that the extension > > is set critical, and not handled, even if recognized. > > This is what the 1.0.0 version in fact does, but it also (as I just > learned) supports name constraints. The 0.9.8 version of the verify(1) > command-line utility does not check critical extensions: > > if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; > > The API raises the error, but verify(1) does not report it. In 1.0.0 > there is a new command-line switch to ignore critical extensions. > The verify utility is designed to continue where possible for debugging purposes. It should report the error via the callback and carry on. OpenSSL 0.9.8 also includes an option to ignore critical extensions: -ignore_critical Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote: > Hodie III Non. Iun. MMX, Victor Duchovni scripsit: > > On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: > > > > > > I would expect such constraints to only apply when > > > > certificates are being *verified*. There seems to be > > > > little point in preventing a CA from attempting to sign > > > > violating certificates. > > > > > > Yes I later tried to "verify" and I still got no complaints. > > > > As I said, the "verify" command only checks the trust chain, peer name > > verification, is not in scope. > > It could fail to validate the chain, given the fact that the extension > is set critical, and not handled, even if recognized. This is what the 1.0.0 version in fact does, but it also (as I just learned) supports name constraints. The 0.9.8 version of the verify(1) command-line utility does not check critical extensions: if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; The API raises the error, but verify(1) does not report it. In 1.0.0 there is a new command-line switch to ignore critical extensions. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
Hodie III Non. Iun. MMX, Victor Duchovni scripsit: > On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: > > > > I would expect such constraints to only apply when > > > certificates are being *verified*. There seems to be > > > little point in preventing a CA from attempting to sign > > > violating certificates. > > > > Yes I later tried to "verify" and I still got no complaints. > > As I said, the "verify" command only checks the trust chain, peer name > verification, is not in scope. It could fail to validate the chain, given the fact that the extension is set critical, and not handled, even if recognized. -- Erwann ABALEA - When birds fly in the right formation, they need only exert half the effort. Even in nature, teamwork results in collective laziness. Demotivators, 2001 calendar __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)
On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: > > I would expect such constraints to only apply when > > certificates are being *verified*. There seems to be > > little point in preventing a CA from attempting to sign > > violating certificates. > > Yes I later tried to "verify" and I still got no complaints. As I said, the "verify" command only checks the trust chain, peer name verification, is not in scope. > > Does OpenSSL trust chain validation include any checks on name > > constraints? > > If there is an additional step that i need to apply for this verification to > happen then i don't know that and I'd appreciate if you detailing that please. > thanks. New code to support name constraints appears to be in OpenSSL 1.0.0. I don't believe this is present in any 0.9.x versions. Which version of OpenSSL are you using? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org