On Wed, Mar 26, 2014 at 4:56 PM, Dr Stephen Henson < [email protected]> wrote:
> On 26/03/2014 13:38, Emilia Kasper wrote: > > > > On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson > > <[email protected] <mailto:[email protected]>> > wrote: > > > > > > If the server is correctly configured to exclude the root then the > chain build > > will fail. The root is needed during path verification to see that > the chain is > > complete. > > > > > > Hmmm - it wasn't obvious from the doc that SSL_BUILD_CHAIN_FLAG_CHECK > would fail > > this way but now that I think about it, I see you're right. This seems > to be a > > limitation of X509_verify_cert and I'm not sure what to do about it. > Would > > SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR be too dangerous to set? We'd still be > > building a best-effort correct issuer chain, just no longer fully > validating it. > > So I don't think it could mess up any good configurations (famous last > words?) > > > > > > Well if you set SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR then it will reorder the > chain > as best it can and just not fail if the chain is incomplete or broken in > any > other way. That's how the on the fly path building works at present. > > Personally I'd prefer it to return errors. That will catch other common > problems > like expiry of any certificate in the chain. > Except it'll never get to checking expiry if there's no root cert. I think I'd prefer to ignore but log build errors - but that I can't do because the SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR flag clears the error stack. So how about: 1) If OpenSSL default system store is present, then attempt to build a chain with SSL_BUILD_CHAIN_FLAG_UNTRUSTED | SSL_BUILD_CHAIN_FLAG_NO_ROOT. Log all errors. Else log a warning that the server chain cannot be locally verified. 2) If no system store is present or 1) failed with errors, run best-effort autobuild with SSL_BUILD_CHAIN_FLAG_CHECK | SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR. > If mod_ssl wants finer control on how the chain is built or better error > reporting then it's always possible to use a customised function that calls > X509_verify_cert manually. > Steve. > -- > Dr Stephen Henson. OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > +1 877-673-6775 > [email protected] >
