Re: [openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

2017-04-04 Thread Short, Todd via openssl-dev 
Ben Kaduk:

Do we know the values that are being passed to SSL_CTX_set_Verify_depth() match 
the -verify_depth argument, or do they differ?
If they differ, do identical arguments to the function behave the same in 1.1.0 
and 1.0.2?

Viktor:

What we’re getting at here, is that this appears to be a potentially 
significant behavioral change. We want to understand it better.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Apr 3, 2017, at 4:43 PM, Viktor Dukhovni 
> wrote:


On Apr 3, 2017, at 4:26 PM, Benjamin Kaduk 
> wrote:

There was a fair amount of churn in x509_vfy.c with the inclusion
of the DANE stuff and whatnot, so it's not immediately clear to me
when this change actually happened.  I think there are good
arguments for the current 1.1.0 behavior and it doesn't really make
sense to try to change back to the historical behavior, but it would
be good to know when the change actually happened and that it is/was
a known change.  Ideally we could also document the different
behavior between 1.0.x and 1.1.0 better; any thoughts about where to
do so?

https://www.openssl.org/docs/man1.1.0/apps/verify.html

  -verify_depth num

Limit the certificate chain to num intermediate CA certificates.
A maximal depth chain can have up to num+2 certificates, since
neither the end-entity certificate nor the trust-anchor
certificate count against the -verify_depth limit.

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify_depth.html

SSL_CTX_set_verify_depth() sets the maximum depth for the
certificate chain verification that shall be allowed for ctx.
(See the BUGS section.)
...
BUGS

The certificate verification depth set with SSL[_CTX]_verify_depth()
stops the verification at a certain depth. The error message
produced will be that of an incomplete certificate chain and
not X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.

The 1.0.2 behaviour was under-documented and somewhat broken.  This
was fixed in 1.1.0.


Unfortunately, the SSL_CTX_set_verify_depth(3) was not brought up to date,
contributes welcome:

  https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_verify_depth.html

--
Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

2017-04-03 Thread Viktor Dukhovni 

> On Apr 3, 2017, at 4:26 PM, Benjamin Kaduk  wrote:
> 
> There was a fair amount of churn in x509_vfy.c with the inclusion
> of the DANE stuff and whatnot, so it's not immediately clear to me
> when this change actually happened.  I think there are good
> arguments for the current 1.1.0 behavior and it doesn't really make
> sense to try to change back to the historical behavior, but it would
> be good to know when the change actually happened and that it is/was
> a known change.  Ideally we could also document the different
> behavior between 1.0.x and 1.1.0 better; any thoughts about where to
> do so?

https://www.openssl.org/docs/man1.1.0/apps/verify.html

   -verify_depth num

Limit the certificate chain to num intermediate CA certificates.
A maximal depth chain can have up to num+2 certificates, since
neither the end-entity certificate nor the trust-anchor
certificate count against the -verify_depth limit.

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify_depth.html

SSL_CTX_set_verify_depth() sets the maximum depth for the
certificate chain verification that shall be allowed for ctx.
(See the BUGS section.)
...
BUGS

The certificate verification depth set with SSL[_CTX]_verify_depth()
stops the verification at a certain depth. The error message
produced will be that of an incomplete certificate chain and
not X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.

The 1.0.2 behaviour was under-documented and somewhat broken.  This
was fixed in 1.1.0.


Unfortunately, the SSL_CTX_set_verify_depth(3) was not brought up to date,
contributes welcome:

   https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_verify_depth.html

-- 
Viktor.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

2017-04-03 Thread Benjamin Kaduk via openssl-dev 
Hi all,

We noticed that the depth limit check seems to behave differently
between 1.0.2 and 1.1.0.

In particular, with a (1.1.0)

openssl/test$ ../util/shlib_wrap.sh ../apps/openssl s_server -port 8080
-cert certs/ee-cert.pem -certform PEM -key certs/ee-key.pem -keyform PEM
-no-CApath -CAfile certs/root-cert.pem -chainCAfile certs/ca-cert.pem

running, I can then go poke at it with s_client and look for the 'Verify
return code' output from:

openssl s_client -connect localhost:8080 -CAfile
teset/certs/root-cert.pem -verify_depth N

for N equal to 0, 1, or 2.

With a 1.0.2 s_client,

N=0 --> "Verify return code: 21 (unable to verify the first certificate)"
N=1 --> "Verify return code: 20 (unable to get local issuer certificate)"
N=2 --> "Verify return code: 0 (ok)"

But the 1.1.0 s_client shows:

N=0 --> "Verify return code: 22 (certificate chain too long)"
N=1 --> "Verify return code: 0 (ok)"
N=2 --> "Verify return code: 0 (ok)"

The new behavior (which does not consider the root to be part of the
chain for purposes of verification) seems to be intentional, and is
explicitly tested in test/recipes/25-test_verify.t:


# Depth tests, note the depth limit bounds the number of CA certificates
# between the trust-anchor and the leaf, so, for example, with a
root->ca->leaf
# chain, depth = 1 is sufficient, but depth == 0 is not.
#
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"],
"-verify_depth", "2"),
   "accept chain with verify_depth 2");
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"],
"-verify_depth", "1"),
   "accept chain with verify_depth 1");
ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"],
"-verify_depth", "0"),
   "accept chain with verify_depth 0");


There was a fair amount of churn in x509_vfy.c with the inclusion of the
DANE stuff and whatnot, so it's not immediately clear to me when this
change actually happened.  I think there are good arguments for the
current 1.1.0 behavior and it doesn't really make sense to try to change
back to the historical behavior, but it would be good to know when the
change actually happened and that it is/was a known change.  Ideally we
could also document the different behavior between 1.0.x and 1.1.0
better; any thoughts about where to do so?

Thanks,

Ben
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev