[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca

Jakob Bohm jb-openssl at wisemo.com
Fri Mar 11 00:51:32 UTC 2016


On 11/03/2016 01:18, Viktor Dukhovni wrote:
> On Fri, Mar 11, 2016 at 12:56:04AM +0100, Jakob Bohm wrote:
>
>> Your reply below is a perfect illustration of the expected confusion.
> Sorry, I disagree.  The 1.1.0 changes fix various shortcomings that
> may well also be addressed in a future 1.0.2 update.
>
> The net effect is more consistent behaviour that is the same whether
> intermediate certificates are found in the trust-store or obtained
> from the peer.  The few applications that enable partial chain
> support and the likely zero users who've created "decorated"
> intermediate certs in the OpenSSL trust store might notice some
> change.
>
> If you strongly feel that the behaviour should be the same for all
> users, that sounds like support for backporting the changes, which
> is something I will be proposing soon.
>
You misunderstand completely.

I am arguing that:

  - 1.0.x behavior should not be changed, as it would violate the
   principle of least surprise for a "security update" to change
   semantics.

  - 1.1.0 behavior is better, if it was the only OpenSSL version
   ever to exist, but it isn't.

  - Therefore the 1.1.0 behavior should use the CA directory shared
   with 1.0.x in a way consistent with how 1.0.x uses that directory
   (as a repository for trust anchors only, as far as I understand
   your non-replies), while 1.1.0 should store untrusted intermediary
   certificates in a different directory where they don't affect
   1.0.x instances running on the same machine.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160311/314594fc/attachment-0001.html>


More information about the openssl-users mailing list