[openssl-dev] OpenSSL version 1.1.0 pre release 2 published
Jouni Malinen
j at w1.fi
Fri Jan 15 09:05:41 UTC 2016
On Thu, Jan 14, 2016 at 03:35:48PM -0500, Viktor Dukhovni wrote:
> Thanks for the prompt error report. If you're willing to share your
> test chains, and if it is likely to be not too difficult to include
> them with the OpenSSL bundled tests, that might be worth looking into.
All the test case I use with hostapd/wpa_supplicant hwsim testing are
available in the public git://w1.fi/hostap.git repository under the
tests/hwsim directory. Most cases that are of interest to OpenSSL are in
these files:
http://w1.fi/cgit/hostap/plain/tests/hwsim/test_ap_eap.py
http://w1.fi/cgit/hostap/plain/tests/hwsim/test_suite_b.py
The certificates used in the tests are in this directory:
http://w1.fi/cgit/hostap/tree/tests/hwsim/auth_serv
For the time being, all the certificates are from the repository, but
some of the OCSP responses used in the test cases are created
dynamically when executing the test cases.
> We definitely need more chain verification test cases, and yours failed
> with the unpatched "openssl verify" when used just right:
>
> $ openssl verify -trusted ca-incorrect.pem -untrusted ca.pem \
> -purpose sslserver server.pem
>
> The untrusted ca.pem came up trusted incorrectly. The new DANE-specific
> chain tests are much more comprehensive at this time than the non-DANE
> ones, we'll need to address that before the final release.
Ah, I didn't even think of the possibility of the CA certificate sent by
the server getting trusted, so I just ran openssl verify with -CAfile..
I have been mainly focusing on different areas for
EAP-TLS/TTLS/PEAP/FAST testing, so the number of chain verification
tests that depend on internal OpenSSL functionality is still quite
small. I'm hoping to increase this, but it will take quite a bit of time
and effort to get that done.. I have higher priority on covering the
additional constraints for validation based on the steps that
wpa_supplicant can do on top of the OpenSSL chain validation (e.g.,
checking specific domain suffix and other subject/altsubject
information and OCSP) and handling different formats of certificate and
private key encoding.
Based on a quick search through the test cases, these are the trivial
combinations that can be executed with openssl verify. This assumes the
commands are run within that tests/hwsim/auth_server directory.
OPENSSL=openssl
echo "Should succeed"
$OPENSSL verify -trusted ca.pem -purpose sslserver server.pem
$OPENSSL verify -trusted ca.pem -untrusted ca.pem -purpose sslserver server.pem
$OPENSSL verify -trusted ca.pem -purpose sslclient user.pem
$OPENSSL verify -trusted iCA-user/ca-and-root.pem -untrusted iCA-server/cacert.pem -purpose sslserver iCA-server/server.pem
$OPENSSL verify -trusted iCA-server/ca-and-root.pem -untrusted iCA-user/cacert.pem -purpose sslclient iCA-user/user.pem
$OPENSSL verify -trusted ca.pem -purpose sslserver server-eku-client-server.pem
$OPENSSL verify -trusted ca.pem -purpose sslserver server-long-duration.pem
$OPENSSL verify -trusted sha512-ca.pem -purpose sslserver sha512-server.pem
$OPENSSL verify -trusted sha512-ca.pem -purpose sslserver sha384-server.pem
$OPENSSL verify -trusted sha512-ca.pem -purpose sslclient sha512-user.pem
$OPENSSL verify -trusted sha512-ca.pem -purpose sslclient sha384-user.pem
$OPENSSL verify -trusted ec-ca.pem -purpose sslserver ec-server.pem
$OPENSSL verify -trusted ec-ca.pem -purpose sslclient ec-user.pem
$OPENSSL verify -trusted ec2-ca.pem -purpose sslserver ec2-server.pem
$OPENSSL verify -trusted ec2-ca.pem -purpose sslclient ec2-user.pem
echo "Should fail"
$OPENSSL verify -trusted ca-incorrect.pem -untrusted ca.pem -purpose sslserver server.pem
$OPENSSL verify -trusted ca-incorrect.pem -purpose sslserver server.pem
$OPENSSL verify -trusted ca-incorrect.pem -untrusted ca.pem -purpose sslclient user.pem
$OPENSSL verify -trusted ca-incorrect.pem -purpose sslclient user.pem
$OPENSSL verify -trusted ca.pem -purpose sslserver server-eku-client.pem
$OPENSSL verify -trusted ca.pem -purpose sslserver server-expired.pem
--
Jouni Malinen PGP id EFC895FA
More information about the openssl-dev
mailing list