reg: question about SSL server cert verification
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Jun 20 18:39:16 UTC 2021
> On 19 Jun 2021, at 10:08 pm, Jakob Bohm via openssl-users <openssl-users at openssl.org> wrote:
>
>> Differences are observed once the local trust store contains some
>> intermediate certificates or the remote chain provides a cross cert for
>> which the local store instead contains a corresponding (same subject
>> name and keyid) self-signed root, or the cross cert is in the local
>> store, but the remote peer sends a root. In all such cases chain
>> construction uses the certs from the trust store. This tends to produce
>> less surprising (and ideally better, or at least what you implicitly
>> asked for) results.
>
> Interesting, earlier today, I observed the confusing effect of
> "openssl verify" treating -trusted_first as always on while keeping
> document wording suggesting it is an actual option, not historical
> remnants of yet another feature removed by the new OpenSSL
> management.
I think it would be best to avoid the insinuating tone. The change
to trusted-first was requested by users, who provided well-motivated
use-cases that are broken otherwise.
If you want full control of the chain with verify(1) use the "-trusted"
and "-untrusted" options (the "-trusted" option preëmpts the default trust
store).
If the documentation is confusing, please open an issue or pull request,
this is a community project, I am sorry you're feeling left out, but the
answer to that is to participate.
--
Viktor.
More information about the openssl-users
mailing list