<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:inherit;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">According to <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html">
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html</a>, openssl will search the default locations for chain building:</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt;background:#F8F8F8;vertical-align:baseline">
“<span style="font-size:14.0pt;font-family:"Georgia",serif;color:#222222">If no chain is specified, the library will try to complete the chain from the available CA certificates in the trusted CA storage, see<span class="apple-converted-space"> </span><a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_load_verify_locations.html"><span style="font-family:"inherit",serif;color:#751590;border:none windowtext 1.0pt;padding:0in">SSL_CTX_load_verify_locations</span></a>.</span>”</p>
<p style="margin:0in;margin-bottom:.0001pt;background:#F8F8F8;vertical-align:baseline">
<span style="font-size:14.0pt;font-family:"Georgia",serif;color:#222222"><o:p> </o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:leikong@msn.com">Lei Kong</a><br>
<b>Sent: </b>Friday, April 21, 2017 2:10 PM<br>
<b>To: </b><a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Subject: </b>RE: [openssl-users] Certificate chain validation</p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Right on! <o:p></o:p></p>
<p class="MsoNormal">I think it is indeed an issue of partial chain on the loading side.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As a related question, on the loading side, do I need to provide the whole chain to SSL_CTX_use_certificate?<o:p></o:p></p>
<p class="MsoNormal">If intermediate CA certificate is installed into default locations like /ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, will openssl search the default locations to build a complete chain before sending it
to the remote side?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From: </b><a href="mailto:jb-openssl@wisemo.com">Jakob Bohm</a><br>
<b>Sent: </b>Friday, April 21, 2017 5:10 AM<br>
<b>To: </b><a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Subject: </b>Re: [openssl-users] Certificate chain validation<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">On 21/04/2017 03:37, Lei Kong wrote:<br>
><br>
> When validating a certificate issued by an intermediate certificate <br>
> authority, I noticed that I need to install both the root and the <br>
> intermediate CA certificate locally (with update-ca-certificates on <br>
> ubuntu 16.04). Verification fails if only root CA cert is installed <br>
> (intermediate is not installed), is this expected behavior? Why do I <br>
> need to install intermediate CA cert locally? Locally installed root <br>
> CA cert is not enough to validate intermediate CA cert?<br>
><br>
This is only necessary if the other end of the connection<br>
(incorrectly) forgets to include the intermediate in the<br>
certificate bundle sent with the data or protocol exchange.<br>
<br>
> Is it possible to make chain validation work with only root CA cert <br>
> installed locally?<br>
><br>
Yes, if the other end is not misconfigured and you pass the<br>
received certificate bundle to the appropriate validation<br>
related function as a list of untrusted additional certificates,<br>
which the certificate verification code can search for needed<br>
intermediate certificates.<br>
<br>
Enjoy<br>
<br>
Jakob<br>
-- <br>
Jakob Bohm, CIO, Partner, WiseMo A/S. <a href="https://www.wisemo.com">https://www.wisemo.com</a><br>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10<br>
This public discussion message is non-binding and may contain errors.<br>
WiseMo - Remote Service Management for PCs, Phones and Embedded<br>
<br>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users">
https://mta.openssl.org/mailman/listinfo/openssl-users</a><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>