[openssl-users] Intermediate certificates

Viktor Dukhovni openssl-users at dukhovni.org
Tue Jan 27 20:12:53 UTC 2015


On Tue, Jan 27, 2015 at 10:21:01PM +0300, Serj wrote:

> Some web-sites don't send all intermediate certs during "SSL Handshake".

Indeed some websites are misconfigured.

> For example, www.verisign.com sends only server's cert but doesn't send next intermediate cert:

But www.verisign.com is not among them:

    $ sleep 2 |
        openssl s_client -showcerts -connect www.verisign.com:443 2>&1 |
        openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
        openssl pkcs7 -print_certs -noout
    subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations  /CN=www.verisign.com
    issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA

    subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
    issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

    subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    issuer=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority


> So, I need to set a list of intermediate certs for my SSL connections. How to do this?
> 
> With SSL_CTX_load_verify_locations() I can set only trusted root certs, but not intermediate certs.

This is not needed for properly configured servers, such as
www.verisign.com.

While providing additional "untrusted" (intermediate) certificates
is possible, it is complex and the right solution is for the broken
sites to fix their certificate chain configuration.

It is unfortunate that browsers "lend a helping hand" to such sites.

-- 
	Viktor.


More information about the openssl-users mailing list