cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: allow partial trust chains

From: Tim Ruehsen <tim.ruehsen_at_gmx.de>
Date: Thu, 26 Nov 2015 10:25:31 +0100

> By default OpenSSL only accepts connections if the full chain to
> the root can be verified.

This seems to be a very good idea :-)

> If only an intermediate CA in the chain is trusted, setting this
> flag also allows the connection when the root CA is not trusted.

Maybe I don't get your point.
The server cert is signed by an intermediate CA. This is signed by
(intermediate cert | root CA). Repeat the last step until you reach the root
CA.
The root CA is the only one you trust by definition (normally/often root CAs
are installed by your distribution).

If one part of this chain isn't trusted, the server cert isn't trusted as
well.
Why do you propose such a behavior as default behavior (What am I missing) ?
Could you explain the purpose in detail, please.

I can imagine some cases, where such behavior is wanted. How about a CLI
option ?

Tim

On Wednesday 25 November 2015 19:09:44 Reiner Herrmann wrote:
> If only an intermediate CA in the chain is trusted, setting this
> flag also allows the connection when the root CA is not trusted.
> This is also the default behavior for e.g. GnuTLS.
> ---
> lib/vtls/openssl.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
> index b2520e8..5a18845 100644
> --- a/lib/vtls/openssl.c
> +++ b/lib/vtls/openssl.c
> @@ -1971,6 +1971,13 @@ static CURLcode ossl_connect_step1(struct connectdata
> *conn, int sockindex) data->set.str[STRING_SSL_CRLFILE]: "none");
> }
>
> + /* Allow partial trust chains, so that trusting an intermediate CA
> + * is sufficient. */
> +#if defined(X509_V_FLAG_PARTIAL_CHAIN)
> + X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
> + X509_V_FLAG_PARTIAL_CHAIN);
> +#endif
> +
> /* Try building a chain using issuers in the trusted store first to avoid
> problems with server-sent legacy intermediates.
> Newer versions of OpenSSL do alternate chain checking by default which
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-11-26