Some web browsers (google chrome for example) do support Authority Information
Access for fetching intermediate certificates.
openssl library (client side) unfortunately seems to be not able to do that.
So this is feature request about adding support for AIA for fetching
intermediate certificates and ideally do that automaticaly (without a need to
rewrite every openssl user to be able to suppor this). Not sure if that fits
"library" model though.
Example below using openssl tool:
$ openssl s_client -connect ftp.ruby-lang.org:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = *.ruby-lang.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.ruby-lang.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = *.ruby-lang.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.ruby-lang.org
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE+zCCA+OgAwIBAgISESGJRdpSN4OMCJmq1IOqcaT+MA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTQwODA1MDAzNTM1WhcNMTUwOTI1MDUyMjAyWjA9MSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGDAWBgNVBAMMDyoucnVieS1sYW5nLm9y
ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDTdteS6EtYRokBUXYg
tRKoxiMBWjjM/F6cM3nf2ZFzN8VXmpuU5XNWbKxQgnWnI4N6R/+Ljn14VKGExyEo
+kVFNxBMJQBfw47roV1h/wyMrggO6mzqGF0bctFbJ4DK8NeMJMsaC/DYDYlCoX5G
2V47Tq0hEENtI/Ga/EZvLj0BOYiDMRVwFQnqzK8YnSZsm+ORcwlhEID6wE/JRZ76
QUPMH5FOFymllsJ6spCAv/Dymx74tm65uJeOfrbfqxz1IoHGSOhPY4/PTB1nG2Ab
EsRklSwY+mo/2nW9UdRJbVW/+JBAV6QrYl/tnCoo8XV1lGC4LPgTFPkzhJDgmuX+
a6MCAwEAAaOCAdAwggHMMA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeB
DAECATA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9y
ZXBvc2l0b3J5LzApBgNVHREEIjAggg8qLnJ1YnktbGFuZy5vcmeCDXJ1YnktbGFu
Zy5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
QwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9n
c2RvbWFpbnZhbHNoYTJnMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUF
BzAChjtodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFp
bnZhbHNoYTJnMnIxLmNydDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2Jh
bHNpZ24uY29tL2dzZG9tYWludmFsc2hhMmcyMB0GA1UdDgQWBBQGYM8Qd80I8j5Y
UoRfjVCEos1XRzAfBgNVHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzANBgkq
hkiG9w0BAQsFAAOCAQEAJK+BQJ6RHFMuksauqMWfEMuFoJm9mXRaSD0zK6Hxn63W
ok2bD2LqPtNGA2irPE2sIi4gI3PCXsIDij2BJtvqVlitPcVY1BjUp+cpxJNjH7OJ
mIA1Cl1oeA393iefgygL919lmakG1/e9r4kW/RqR2x06UGKWxxHR+WCZwE9Gwh5j
+ljyNfAm7/r/sX76lBKEDUTQZ96uIXaL+PpgMbv1W6Jtj5ZpWRUnvccOB7dafory
P8plu0Fw4M7YOxqvp5h7Fl7+n46wl849r+9KTRZ3CohQ2gEMksNE25N6NikbB1bR
MpMueeRErip2sRnkNMYSVNLNI+UHNHnYYtmeL/A98g==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.ruby-lang.org
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 -
G2
---
No client certificate CA names sent
---
SSL handshake has read 1948 bytes and written 430 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-RC4-SHA
Session-ID:
260348623F2291CEC786FDA32371DA2772EF81138F8DFDA2D9AFC3CEE6847705
Session-ID-ctx:
Master-Key:
FCE38FD5128A5740F4135787F65B0739AF24D296454D92804001A22633A194D354A0C198ECB39322FEFDEEE816F41F87
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - b7 e9 b7 b6 7f d8 5d 3f-9e 10 1c a1 d0 82 f7 70 ......]?.......p
0010 - da 4a ef 65 0c 07 67 f5-5b 80 98 bf f9 74 34 11 .J.e..g.[....t4.
0020 - 72 2c 70 f0 51 da 89 ef-7a a3 85 57 53 f2 3a 22 r,p.Q...z..WS.:"
0030 - 51 ed 94 51 34 2c da fb-df 8d 71 2f d5 c7 f1 cf Q..Q4,....q/....
0040 - 74 f7 d5 4b b5 9d f9 ac-7a b6 d2 cb c6 3e 97 9d t..K....z....>..
0050 - d3 26 ff f6 e4 a6 65 47-bf aa e6 8c b7 91 9f cc .&....eG........
0060 - 2b c3 bb 75 43 b9 be a4-78 97 ec 8b 53 f3 02 ca +..uC...x...S...
0070 - 51 43 68 c5 8b e0 9a 46-5c 63 93 0f f3 8a 51 26 QCh....F\c....Q&
0080 - f9 29 d1 c7 f6 5b c7 f7-57 bd 4a c7 0b ef d7 13 .)...[..W.J.....
0090 - 18 56 4a fd 73 92 9e 9c-f2 30 9f 37 f2 4d c9 d0 .VJ.s....0.7.M..
00a0 - a6 75 00 19 41 5b 9c a6-39 40 b3 32 61 27 96 04 .u..A[[email protected]'..
Start Time: 1417389788
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
where cert contains:
Authority Information Access:
CA Issuers -
URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2
and http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
is intermediaty cert that allows to get full validation path.
--
Arkadiusz MiĆkiewicz, arekm / ( maven.pl | pld-linux.org )
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
