[openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

[Matt Caswell]

On 15/01/15 14:13, Fedor Indutny wrote:
> Hello!
> 
> During the course of deprecation of stale 1024bit CA certs,
> node.js and io.js project teams have identified the problem with
> how OpenSSL client handles the server's certificate chain. It is
> quite evident that it ignores certificate store and loads issuer
> from the chain that was received. This leads to the problems with
> AWS and probably other service providers who sent the stale
> **alternative** certificate chain with same serial numbers, but
> 1024bit CA certificates.
> 
> I have already tried proposing a solution to the OpenSSL team:
> 
> https://www.mail-archive.com/openssl-dev@openssl.org/msg37721.html
> 
> But one of the node.js contributors we have found this commit (from 2010):
> 
> https://github.com/openssl/openssl/commit/db28aa86e00b9121bee94d1e65506bf22d5ca6e3
> 
> The main question that I have is:
> 
> Is it safe to float this patch on top of 1.0.1k and use it? From
> my knowledge of code it appears to be pretty harmless, however
> the fact that it wasn't backported in 5 years makes me wonder if
> it was considered safe after all.

There are some concerns about the performance of trusted_first.
Successful certificate look ups are cached, whilst failed ones are not.
Therefore using trusted_first *could* have an adverse impact.

This issue is currently under discussion within the dev team. I have an
alternative patch that addresses the same issue in a different way.
Essentially it works in a similar way to that which you proposed in
RT3637. However I have some issues with that patch, so I've done it
slightly differently.

RT3621 is also relevant here.

Matt