reg: question about SSL server cert verification

Jakob Bohm jb-openssl at wisemo.com
Sun Jun 20 02:08:19 UTC 2021


On 2021-06-18 17:07, Viktor Dukhovni wrote:

> On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
>
>> Now the client simply works backwards through that list, checking if
>> each certificate signed the next one or claims to be signed by a
>> certificate in /etc/certs.  This lookup is done based on the complete
>> distinguished name, not just the CN part of it.  At every step, the
>> certificate may be referenced by a "key identifier" instead of the
>> distinguished name, and some clients will compare that instead of the
>> distinguished name.
> All extant (non-EOL) OpenSSL releases prioritise the local trust-store
> over the remotely provided CA certificate list when building the
> certificate chain.  The remote chain is used only when no match is found
> in the trust store.  As as a matching issuer is found in the trust store
> all further lookups are from the trust store only.
>
> If the local trust store contains only "root CAs", and the remote peer
> provides the rest of the chain, with no overlap in the subject
> distinguished names, the behaviour is not observably different from
> Jakob's description.
>
> Differences are observed once the local trust store contains some
> intermediate certificates or the remote chain provides a cross cert for
> which the local store instead contains a corresponding (same subject
> name and keyid) self-signed root, or the cross cert is in the local
> store, but the remote peer sends a root.  In all such cases chain
> construction uses the certs from the trust store.  This tends to produce
> less surprising (and ideally better, or at least what you implicitly
> asked for) results.
>
Interesting, earlier today, I observed the confusing effect of
"openssl verify" treating -trusted_first as always on while keeping
document wording suggesting it is an actual option, not historical
remnants of yet another feature removed by the new OpenSSL
management.

-- 
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 
<tel:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


More information about the openssl-users mailing list