[openssl-users] How to construct certificate chain

Jerry OELoo oyljerry at gmail.com
Tue Feb 10 07:17:18 UTC 2015 

I am using 1.0.2 stable release and add below code but it still get
Equifax but browser get GeoTrust Global CA

    X509_VERIFY_PARAM *param;
    param = X509_VERIFY_PARAM_new();
    X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST);
    SSL_CTX_set1_param(ctx, param);
    X509_VERIFY_PARAM_free(param);




On Mon, Nov 17, 2014 at 3:43 PM, Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
> On Mon, Nov 17, 2014 at 03:13:22PM +0800, Jerry OELoo wrote:
>
>> When I construct google's (www.google.com) certificate chain, it is
>> different with browser's
>>
>> [openssl API]
>> www.google.com -> Google Internet Authority G2 -> GeoTrust Global CA
>> -> Equifax Secure Certificate Authority
>
> This is what Google sends on the wire.
>
>> [IE/Chrome]
>> www.google.com -> Google Internet Authority G2 -> GeoTrust Global CA
>
> The browsers short-cicuit the chain, by finding an alternative trusted
> issuer for "G2"
>
>> It seems openssl use one certificate path with "bridge cert" but
>> browsers use another certificate path, and in answer, it said
>> "OpenSSL, which curl uses, is not, or at least not yet; thus you must
>> tell curl to give OpenSSL the Equifax root. (The OpenSSL 1.0.2
>> release, currently in beta, is announced to have enhancements in the
>> area of cert chain validation, which I haven't looked at in detail
>> yet.",
>
> Commit 9d2006d8 (1.0.2 branch) implements a new X509_V_FLAG_TRUSTED_FIRST
> flag which should give similar (to the browsers) results if set in
> the X509_STORE_CTX used to validate the chain via:
>
>     X509_VERIFY_PARAM_set_flags()
>
> and
>
>     SSL_CTX_set1_param()
>
> see apps/apps.c and apps/s_client.c
>
>> So is there any way that openssl 1.0.1j can solve this and construct
>> same certificate path with browsers did?
>
> No, but it is far from clear why "this" is a problem.  Google sends
> a chain signed by Equifax.  So OpenSSL builds a chain with that.
> When Google stops sending the Equifax cert, OpenSSL will use the
> GeoTrust root CA if that's configured.
>
> --
>         Viktor.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users at openssl.org
> Automated List Manager                           majordomo at openssl.org



-- 
Rejoice,I Desire!

More information about the openssl-users mailing list