[openssl-dev] [openssl-users] Failed to access LDAP server when a valid certificate is at <hash>.1+

Mon Jan 8 22:46:15 UTC 2018

(switching the alias to openssl-dev at openssl.org)

I would like to suggest the following fix so that a valid certificate at 
<hash>.x can be recognized during the cert validation even when <hash>.0 
is linking to a bad/expired certificate.  This may not be the most 
elegant solution, but it is a minimal change with low impact to the rest 
of the code.

Could I possibly get a review on the change? and possibly be considered 
to be integrated to the upstream?
(This is for the 1.0.1 branch)

Thanks in advance.

-- misaki

--- a/crypto/x509/x509_vfy.c    2017-11-02 07:32:58.000000000 -0700
+++ b/crypto/x509/x509_vfy.c    2017-12-11 12:37:55.591835780 -0800
@@ -185,6 +185,39 @@
      return xtmp;
  }

+/*
+ * Look through the trust store setup by get_issuer() and
+ * return the certificate which matches the server cert 'x'
+ * via 'xtmp'.
+ */
+static int X509_get_cert(X509 **xtmp, X509_STORE_CTX *ctx, X509 *x)
+{
+    X509_OBJECT    *tmp;
+    int            i;
+    int            ret = 0;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+    for (i = 0; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
+        tmp = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+        if (tmp == NULL) {
+            goto exit;
+        }
+        if (X509_cmp(tmp->data.x509, x) == 0) {
+            /*
+             * Found the cert in the trust store which matches the
+             * server cert.  Increment the ref count and return.
+             */
+            X509_OBJECT_up_ref_count(tmp);
+            *xtmp = tmp->data.x509;
+            ret = 1;
+            goto exit;
+        }
+    }
+exit:
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+    return ret;
+}
+
  int X509_verify_cert(X509_STORE_CTX *ctx)
  {
      X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
@@ -316,9 +350,13 @@
                   * We have a single self signed certificate: see if we can
                   * find it in the store. We must have an exact match 
to avoid
                   * possible impersonation.
+                 * get_issuer() sets up the trust store for the subject and
+                 * returns the first cert via 'xtmp'. The first cert in the
+                 * trust store may not be the certificate that we are 
interested
+                 * in. Look through the trust store to see there is an 
exact match.
                   */
                  ok = ctx->get_issuer(&xtmp, ctx, x);
-                if ((ok <= 0) || X509_cmp(x, xtmp)) {
+                if ((ok <= 0) || (X509_get_cert(&xtmp, ctx, x) != 1)) {
                      ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
                      ctx->current_cert = x;
                      ctx->error_depth = i - 1;


On 10/21/17 03:21 PM, Viktor Dukhovni wrote:
>
> On Oct 21, 2017, at 11:20 AM, Misaki Miyashita <misaki.miyashita at oracle.com> wrote:
>
>> We encountered a problem using OpenLDAP with OpenSSL when there were more than one certificate with the same subject.
>>
>> Does OpenSSL stop searching for a valid certificate when it finds a certificate with matching DN?
> Yes, when a matching issuer is found in the trust store, but is expired
> no alternative certificates will be tested.  You need to remove outdated
> issuer certificates from your trust store before they expire.
>

