Re: Server Certificate Verification

Wed, 04 Apr 2001 06:28:31 -0700 



>>> [EMAIL PROTECTED] 04/04/01 10:32:37 >>>
>> As you say if I the peer sends the certificate chain then the verify error changes 
>to X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but I don't think this is the behavior I 
>need (also its up to the web server whether it sends the chain, I believe)

>No, it is not up to the web server. The server must send the complete chain
except for the root certificate. From RFC2246, 7.4.2:
   certificate_list
       This is a sequence (chain) of X.509v3 certificates. The sender's
       certificate must come first in the list. Each following
       certificate must directly certify the one preceding it. Because
       certificate validation requires that root keys be distributed
       independently, the self-signed certificate which specifies the
       root certificate authority may optionally be omitted from the
       chain, under the assumption that the remote end must already
       possess it in order to validate it in any case.

I mentioned this since previously I had not defined SSLCertificateChainFile in my 
httpd.conf (apache , mod_perl) and when I did the following (excuse the hack!)
                STACK_OF(X509) *cert_chain = (struct stack_st 
*)SSL_get_peer_cert_chain(_ssl);
                while ((server_cert = (struct x509_st *)sk_pop(cert_chain)) != NULL) {
                    X509_print(cout, server_cert);
                    PEM_write_bio_X509(cout, server_cert);
                    X509_free(server_cert);
                }
I only got the server certificate back. On defining SSLCertificateChainFile (and 
putting the CA cert in it) I got both certificates back ! I also tried pointing my 
browser at https://amazon.co.uk and similarly only got the server certificate !



>When realizing this functionality, please check out the old bugtraq
messages. There were quite some subtle things with certificates being
accepted for a wrong server name by the user once but then the non-matching
certificate suddenly became valid for all server names (if memory serves
me right)... It is not necessary to fall into the same pitfalls again :-)


I've just spent a couple of hours trawling through the mailing list archives without 
much luck. Was this what you meant by 'bugtaq'. If so, can you offer any other hints 
;-) or let me know how to get the 'bugtraq' messages ?


Thanks,
 Graeme



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to