On 27/03/14 16:45, Daniel Kahn Gillmor wrote:
<snip>
Do we have a robust, free tool that, given a single X.509 EE cert, can
do automagic fetching and trying of all combinations of these things and
produce a reasonable PEM-encoded SSLCertificateChainFile on stdout?
If we had such a tool, then the detection code in mod_ssl could just
encourage people to run that tool.
I'm not aware of any existing tool that does this, but creating one has
been on my todo list for a while. :-)
I was thinking of putting the CA certificate discovery (using AIA
fetching, CT Log parsing, ZMap scanning, or whatever), chain building
and chain selection logic in a cloud-based service, rather than on the
client. I think this would make it more robust and deterministic (i.e.
you wouldn't have AIA fetches succeeding for some clients and failing
for others) and it wouldn't require a client-side update whenever the
(gnarly, ugly) chain selection logic needs tweaking.
The client would simply HTTP(S) POST a certificate (or maybe just the
AKID / Issuer Name) to the cloud-based service, and receive back a
PEM-encoded SSLCertificateChainFile.
Sound reasonable?
(As it happens, I have a project that does most of this already... ;-) )
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
