cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] openssl: allow partial trust chains

From: Tim Ruehsen <>
Date: Mon, 30 Nov 2015 12:41:39 +0100

On Monday 30 November 2015 11:52:27 Reiner Herrmann wrote:
> On Thu, Nov 26, 2015 at 11:59:23AM +0100, Tim Ruehsen wrote:
> > I understand the scenario but one question:
> >
> > "...want to trust as few CAs as possible..." is IMO not correct. You
> > implicitly trust the rootCA (because you trust letsencryptCA), but just
> > want to avoid to check for some reasons. Why ? Is it disk space or CPU
> > cycle concerns ?
> To clarify this, I don't have any root CAs in my trust store. It is
> empty except for a few selected (intermediate) CAs that I trust because I
> verified them through other ways.

Yes, you verified them once - verification occurs at a point in time. But you
drop automatically verification once and for all. IMO, in normal situations it
is nice to have automatic checks each time you use a cert. If you do this
without (lib)curl, this might be fine for your use case. But for regular /
non-expert (lib)curl users, this seems not applicable (cert pinning and ocsp
are not enabled by default - so only available to 'expert' users).

Do you need a signed CA at all ?
If it is just for private (or company side) use, you won't need a signed CA at
all (if you don't check the chain at all). If you also use it for public
purposes (signing server certs), it could be a good idea to check the whole
chain even for internal connections. If not, your customers recognize anything
wrong with the chain before you do it - and that makes you look lame to your

> Right now it is not possible with the OpenSSL backend to verify connections,
> because of the missing root CA, even though I told curl that I trust the
> intermediate CAs by placing them into the trust store.
> Allowing partial trust chains solves this problem.

As already said, I agree with you in that this is a feature that should
definitely go into (lib)curl. But why not being a bit conservative and *not*
changing default behavior ?

> I agree that it might ba a rare case that normal users don't have.
> But I also don't see a security problem by allowing shorter trust chains.

I do, but I have to find some time to answer Daniels last mail.

Regards, Tim

List admin:
Received on 2015-11-30