[openssl-dev] [openssl.org #3621] Support legacy CA removal, ignore unnecessary intermediate CAs in SSL/TLS handshake by default

Ray Satiro raysatiro at yahoo.com
Wed May 27 04:41:12 UTC 2015 

On 3/16/2015 5:45 AM, Kai Engert via RT wrote:
> Thank you very much for your work on this issue!
> In my testing so far, it works as requested.
>
> I noticed the code changes in x509_vfy.c apply fine on top of the 1.0.2
> stable branch, and the test suite succeeeds.
>
> Will you consider to add this enhancement in a feature release on the
> 1.0.2 branch?

I second this. It looks like this is also discussed in bug #2634 where 
it was considered an enhancement and therefore will not be in 1.0.2. It 
seems more like a bug fix to me though. If OpenSSL can complete the 
chain it should. What would be the disadvantage of doing so?

I work on the cURL project and I've encountered this problem twice in 
the last month.

The first time was a reporter mentioned an issue connecting to Apache 
git-wip-us.apache.org. That looks to be the VeriSign issue discussed in 
#2634. The server at the time had sent the old intermediate "VeriSign 
Class 3 Public Primary Certification Authority - G5" signed by "Class 3 
Public Primary Certification Authority" (VeriSign root legacy) which is 
no longer included in the Mozilla bundle. The bundle does include the 
newer "VeriSign Class 3 Public Primary Certification Authority - G5" 
(now a root) but OpenSSL didn't use it to complete the chain. It looks 
like the Apache team fixed the issue [1] by removing the old VeriSign 
intermediate. But by doing that clients with an older bundle can no 
longer connect.

The second time just this evening, I'm investigating a reported latency 
issue (unrelated) with mediafire.com. Its server sends 6 intermediate 
certificates and one of the intermediates (actually 2 if you count the 
dupe) is a legacy intermediate that is now a root. "thawte Primary Root 
CA" sent by the server is signed by "Thawte Premium Server CA" (thawte 
root legacy) which is no longer included in the Mozilla bundle. The 
bundle does include the newer "thawte Primary Root CA" (now a root) and, 
same as above, OpenSSL didn't use it to complete the chain.

Internet Explorer and Firefox handled both verifications correctly, as 
one would expect. I understand you may consider the behavior in OpenSSL 
< 1.1.0 to be correct but the end result here is that those clients with 
the newer bundles are going to fail verify unable to get issuer. There 
is a compatible issuer in the bundle. I don't know of any other examples 
but I can imagine as legacy certificates are removed the issue could 
persist.


[1]: https://issues.apache.org/jira/browse/INFRA-9605

More information about the openssl-dev mailing list