[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca

Jakob Bohm jb-openssl at wisemo.com
Fri Mar 11 05:16:45 UTC 2016


On 11/03/2016 03:27, Viktor Dukhovni wrote:
> On Fri, Mar 11, 2016 at 02:44:59AM +0100, Jakob Bohm wrote:
>
>>> Well, no, 1.0.2 uses the trust store not only for trust-anchors,
>>> but also as a capricious source of intermediate certificates, whose
>>> behaviour varies depending on whether the peer supplied same said
>>> certificates on the wire or not.  I expect to improve the capricious
>>> behaviour.
>> You keep dodging the question: Does 1.0.2g trust or not
>> trust intermediary certs found in the "CA" store?
> They are not trust-anchors, so absent an issuer higher up, they
> are not sufficient to establish a "chain of trust", unless the
> application enables "partial chain" support.
Ok, that reverses the fundamental assumption behind all my
previous posts (including post #2 in this thread).  Why didn't
you state this earlier.

> ...
>
>
>> An intermediate-CApath store would typically act as a
>> growing cache of encountered intermediaries, needing a
>> lot less security considerations than a trusted-CApath.
>>
>> This is especially useful with protocols and protocol
>> variants where the convention is to not send the full
>> certificate chain at all, but rather to expect the
>> opposing end to request (and cache) any missing
>> intermediaries as necessary.
> Fine for browsers, not so practical for OpenSSL which does not go
> around downloading certificates on the fly.
Actually, I have only seen this done in non-browser
use of TLS (and only by Microsoft).


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160311/e6a40102/attachment.html>


More information about the openssl-users mailing list