[openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Aug 9 19:18:00 UTC 2016
> On Aug 9, 2016, at 2:52 PM, Salz, Rich via RT <rt at openssl.org> wrote:
>
> As Viktor pointed out, this doesn't work in 1.0.1
The story is a bit more complicated. What's really going on is that
root (self-signed) CAs in the trust store are backwards-compatible
implicit trust-anchors for all purposes. Intermediate certificates
require auxiliary trust settings in the trust store to specify any
purposes for which they are trusted or rejected as trust-anchors.
Trusted certificates can be created via the "-addtrust" option of
"openssl x509". I've not checked 1.0.1, but explicitly trusted
intermediates are likely to work with 1.0.1 if decorated as trusted via:
openssl x509 -in cert.pem -trustout -addtrust serverAuth -out trusted.pem
or:
openssl x509 -in cert.pem -trustout -addtrust anyExtendedKeyUsage -out trusted.pem
or similar.
--
Viktor.
More information about the openssl-dev
mailing list