cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] openssl: allow partial trust chains

From: Tim Ruehsen <>
Date: Thu, 26 Nov 2015 11:59:23 +0100

On Thursday 26 November 2015 10:52:58 Reiner Herrmann wrote:
> On Thu, Nov 26, 2015 at 10:25:31AM +0100, Tim Ruehsen wrote:
> > > By default OpenSSL only accepts connections if the full chain to
> > > the root can be verified.
> >
> > This seems to be a very good idea :-)
> >
> > > If only an intermediate CA in the chain is trusted, setting this
> > > flag also allows the connection when the root CA is not trusted.
> >
> > Maybe I don't get your point.
> > The server cert is signed by an intermediate CA. This is signed by
> > (intermediate cert | root CA). Repeat the last step until you reach the
> > root CA.
> > The root CA is the only one you trust by definition (normally/often root
> > CAs are installed by your distribution).
> >
> > If one part of this chain isn't trusted, the server cert isn't trusted as
> > well.
> > Why do you propose such a behavior as default behavior (What am I missing)
> > ? Could you explain the purpose in detail, please.
> No, there can be cases where you only want to trust as few CAs as
> possible. So for example you trust the letsencrypt CA, but don't want to
> have the root CA which signed their cert in your trust store.
> If there is a valid chain up to an intermediate CA cert which you already
> explicitely trust, then there is (in my oponion) no need to require a
> full chain up to the root (which would force you to trust the root CA
> also).

I understand the scenario but one question:

"...want to trust as few CAs as possible..." is IMO not correct. You
implicitly trust the rootCA (because you trust letsencryptCA), but just want
to avoid to check for some reasons. Why ? Is it disk space or CPU cycle
concerns ?

> > I can imagine some cases, where such behavior is wanted. How about a CLI
> > option ?
> I think it should be a default, because if you explicitely put an
> intermediate CA cert into your trust store, your intention is probably
> that a chain up to this CA is sufficient.
> But right now this is not possible (with the OpenSSL backend).

I wouldn't mix intermediate CAs and root CAs.
Let's assume, you have intermediate CAs and root CAs in separate directories
(user and system). And you have an option to specify both directories as
places for your TLS engine to look at. Regularly updates of your
system/distribution together with checking the full chain allow you to realize
when the rootCA is exchanged (e.g. because of rootCA being compromised). Curl
should cry loud now and you should go and get a new intermediate CA ASAP.

Sounds paranoid ? AFAIR, wasn't there already root CAs being compromised !?

Dropping this tiny bit of extra security would still let you trust in your
intermediary CA. Which might have been stolen as well from the rootCA.

But if you still want it, why not telling curl via a user (and/or system)
config file, if CLI options are too tedious.

> As mentioned in the patch, this is already the default behavior for the
> GnuTLS backend.

Thanks, I have to look for an option to switch that off :-(

Regards, Tim

List admin:
Received on 2015-11-26