[openssl-users] Certificate Verify and non-root Trust Anchors
Dr. Pala
madwolf at openca.org
Tue Dec 12 00:41:35 UTC 2017
Hi Victor,
does it matter that we are not in the TLS case (maybe the code is
different in the SSL_CTX ) ? I am just trying to validate the chain with
the TA set to the SubCA... :D
IMHO, the correct (or, better, the expected) behavior (from a
developer's standpoint) would be to trust keys in the trusted
certificates list, no matter if they are in the form of a Self-Signed or
non-Self-Signed certificate - after all, it is a Trust Anchor --> just a
Public Key :D
Just my 2 cents...
Cheers,
Max
On 12/11/17 4:54 PM, Viktor Dukhovni wrote:
>
>> On Dec 11, 2017, at 6:27 PM, Michael Richardson <mcr at sandelman.ca> wrote:
>>
>> I believe that I ran into a similar problem where by I could not pin
>> ('trust') an intermediate certificate (which was not self-signed) for the
>> purposes of verifying a CMS/PKCS7 object.
>>
>> I don't have a solution, and I believe that work is required.
> As I already mentioned a few times, the new X509_V_FLAG_PARTIAL_CHAIN
> flag added in 1.0.2 addresses this issue.
>
> To get pinning provide a trust store with just the pinned issuer CA,
> and X509_V_FLAG_PARTIAL_CHAIN set.
>
> With OpenSSL 1.1.0 one can also implement pinning by computing a TLSA
> record for the pinned CA, and using OpenSSL's DANE support. OpenSSL
> does not do the DNS lookups to find TLSA records, that's up to the
> application, so the TLSA records can be entirely synthetic (e.g.
> derived from suitable hashes of a pinned CA cert or its public key).
>
More information about the openssl-users
mailing list