cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: allow partial trust chains

From: Tim Ruehsen <tim.ruehsen_at_gmx.de>
Date: Mon, 30 Nov 2015 12:41:39 +0100

On Monday 30 November 2015 11:52:27 Reiner Herrmann wrote:
> On Thu, Nov 26, 2015 at 11:59:23AM +0100, Tim Ruehsen wrote:
> > I understand the scenario but one question:
> >
> > "...want to trust as few CAs as possible..." is IMO not correct. You
> > implicitly trust the rootCA (because you trust letsencryptCA), but just
> > want to avoid to check for some reasons. Why ? Is it disk space or CPU
> > cycle concerns ?
>
> To clarify this, I don't have any root CAs in my trust store. It is
> empty except for a few selected (intermediate) CAs that I trust because I
> verified them through other ways.

Yes, you verified them once - verification occurs at a point in time. But you
drop automatically verification once and for all. IMO, in normal situations it
is nice to have automatic checks each time you use a cert. If you do this
without (lib)curl, this might be fine for your use case. But for regular /
non-expert (lib)curl users, this seems not applicable (cert pinning and ocsp
are not enabled by default - so only available to 'expert' users).

Do you need a signed CA at all ?
If it is just for private (or company side) use, you won't need a signed CA at
all (if you don't check the chain at all). If you also use it for public
purposes (signing server certs), it could be a good idea to check the whole
chain even for internal connections. If not, your customers recognize anything
wrong with the chain before you do it - and that makes you look lame to your
customers...

> Right now it is not possible with the OpenSSL backend to verify connections,
> because of the missing root CA, even though I told curl that I trust the
> intermediate CAs by placing them into the trust store.
> Allowing partial trust chains solves this problem.

As already said, I agree with you in that this is a feature that should
definitely go into (lib)curl. But why not being a bit conservative and *not*
changing default behavior ?

> I agree that it might ba a rare case that normal users don't have.
> But I also don't see a security problem by allowing shorter trust chains.

I do, but I have to find some time to answer Daniels last mail.

Regards, Tim

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-11-30

This message: [ Message body ]
Next message: Tim Ruehsen: "Re: [PATCH] openssl: allow partial trust chains"
Previous message: Reiner Herrmann: "Re: [PATCH] openssl: allow partial trust chains"
In reply to: Reiner Herrmann: "Re: [PATCH] openssl: allow partial trust chains"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]