[openssl-dev] [openssl.org #3621] Support legacy CA removal, ignore unnecessary intermediate CAs in SSL/TLS handshake by default

[Hubert Kario via RT]

On Friday 05 December 2014 15:18:30 you wrote:
> When discussing this issue, my colleague Hubert Kario made me aware of a
> flag offered by e.g. the openssl s_client utility: "-trusted_first".
> When using -trusted_first, the server verification works successfully in
> the above scenario.
> 
> Given that the suggestion is to change openssl's default behaviour,
> changing openssl to use the -trusted_first mode by default might
> potentially be a solution. However, it's not obvious if this mode could
> have other side effects that are undesirable.
> 
> Therefore I suggest to discuss which approach is best to support the
> removal of legacy CAs, either by changing the default of the
> -trusted_first setting, or by implementing another solution. I think it
> would be good to find a solution that could be backported to the openssl
> 1.0.1 branch.

For what it's worth, I have tested the Alexa top 1 million servers with the
-trusted_first option and haven't found a single server that looses its 
trusted status, on the other hand, good few percent of servers do gain it.
That doesn't mean there aren't any (or that I haven't made a mistake in the 
tests), but I can't think of a CA structure that would validate correctly with 
old mode while not with the new mode (so at least the experiment matches 
theory).

More specifically the test was done by setting X509_STORE_set_flags(store, 
X509_V_FLAG_TRUSTED_FIRST); during verification. Full code that I used for 
testing is available here:
https://github.com/jvehent/cipherscan/blob/master/top1m/parse_CAs.c
https://github.com/jvehent/cipherscan/blob/master/top1m/process-certificate-statistics.sh
(the baseline was achieved by just commenting out the above mentioned line)
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic