[openssl-dev] [openssl-users] Failed to access LDAP server when a valid certificate is at <hash>.1+

Tue Jan 9 06:53:17 UTC 2018

On 01/ 8/18 04:46 PM, Misaki Miyashita wrote:
> (switching the alias to openssl-dev at openssl.org)
>
> I would like to suggest the following fix so that a valid certificate 
> at <hash>.x can be recognized during the cert validation even when 
> <hash>.0 is linking to a bad/expired certificate.  This may not be the 
> most elegant solution, but it is a minimal change with low impact to 
> the rest of the code.
>
> Could I possibly get a review on the change? and possibly be 
> considered to be integrated to the upstream?
> (This is for the 1.0.1 branch)

Sorry, I meant to say it is for the 1.0.2 branch.

>
> Thanks in advance.
>
> -- misaki
>
>
> --- a/crypto/x509/x509_vfy.c    2017-11-02 07:32:58.000000000 -0700
> +++ b/crypto/x509/x509_vfy.c    2017-12-11 12:37:55.591835780 -0800
> @@ -185,6 +185,39 @@
>      return xtmp;
>  }
>
> +/*
> + * Look through the trust store setup by get_issuer() and
> + * return the certificate which matches the server cert 'x'
> + * via 'xtmp'.
> + */
> +static int X509_get_cert(X509 **xtmp, X509_STORE_CTX *ctx, X509 *x)
> +{
> +    X509_OBJECT    *tmp;
> +    int            i;
> +    int            ret = 0;
> +
> +    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
> +    for (i = 0; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
> +        tmp = sk_X509_OBJECT_value(ctx->ctx->objs, i);
> +        if (tmp == NULL) {
> +            goto exit;
> +        }
> +        if (X509_cmp(tmp->data.x509, x) == 0) {
> +            /*
> +             * Found the cert in the trust store which matches the
> +             * server cert.  Increment the ref count and return.
> +             */
> +            X509_OBJECT_up_ref_count(tmp);
> +            *xtmp = tmp->data.x509;
> +            ret = 1;
> +            goto exit;
> +        }
> +    }
> +exit:
> +    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
> +    return ret;
> +}
> +
>  int X509_verify_cert(X509_STORE_CTX *ctx)
>  {
>      X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
> @@ -316,9 +350,13 @@
>                   * We have a single self signed certificate: see if 
> we can
>                   * find it in the store. We must have an exact match 
> to avoid
>                   * possible impersonation.
> +                 * get_issuer() sets up the trust store for the 
> subject and
> +                 * returns the first cert via 'xtmp'. The first cert 
> in the
> +                 * trust store may not be the certificate that we are 
> interested
> +                 * in. Look through the trust store to see there is 
> an exact match.
>                   */
>                  ok = ctx->get_issuer(&xtmp, ctx, x);
> -                if ((ok <= 0) || X509_cmp(x, xtmp)) {
> +                if ((ok <= 0) || (X509_get_cert(&xtmp, ctx, x) != 1)) {
>                      ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
>                      ctx->current_cert = x;
>                      ctx->error_depth = i - 1;
>
>
> On 10/21/17 03:21 PM, Viktor Dukhovni wrote:
>>
>> On Oct 21, 2017, at 11:20 AM, Misaki Miyashita 
>> <misaki.miyashita at oracle.com> wrote:
>>
>>> We encountered a problem using OpenLDAP with OpenSSL when there were 
>>> more than one certificate with the same subject.
>>>
>>> Does OpenSSL stop searching for a valid certificate when it finds a 
>>> certificate with matching DN?
>> Yes, when a matching issuer is found in the trust store, but is expired
>> no alternative certificates will be tested.  You need to remove outdated
>> issuer certificates from your trust store before they expire.
>>
>