Re: Choice of CAs in SSL/TLS handshake

Tue, 07 Mar 2006 06:06:43 -0800


Hi,
May be changing the verification of the depth level solve this issue. ( I mean  check the chain only upto User CA 1 and not upto the Root CA ) In this case it should not report about missing valid root.

Im not sure. this is just an idea.

Regards,
Samy







Olaf Gellert <[EMAIL PROTECTED]>

Sent by:
[EMAIL PROTECTED]

07.03.2006 12:56

Please respond to
openssl-users@openssl.org
To
openssl-users@openssl.org
cc
Subject
Choice of CAs in SSL/TLS handshake
Classification





Hi,

I came across the following problem: I do have
two user CAs under the same root CA:

Root CA
  |->  User CA 1   ->  User Certificate 1
  |->  User CA 2   ->  User Certificate 2

I want to tell a webserver to accept certificates
from User CA 1 but not from User CA 2. But: In
openssl s_server AND in mod_ssl I can only specify
a list (as file or directory) of trusted CAs. These
are used for two purposes:

a) the server puts all of them in his certificate_request
  message during SSL connection establishment.
b) they have to contain the root certificate as trust
  anchor.

What I need is a way to specify the requested client
CAs WITHOUT the root certificate. Otherwise clients
(Mozilla/Firefox) think that both CAs are accepted
(because the root certificate is in the certificate
request message).

Any way to do this? Is this just a missing feature
or do I read the RFC wrong? This is what RFC 2246 says
about the request message (sec. 7.4.4):

 certificate_authorities
     A list of the distinguished names of acceptable certificate
     authorities. These distinguished names may specify a desired
     distinguished name for a root CA or for a subordinate CA;
     thus, this message can be used both to describe known roots
     and a desired authorization space.

So it should be possible to provide only the certificate
of User CA 1? (but then openssl s_server and mod_ssl do
not find a valid root certificate.)

Thanks for any help,

Olaf

--
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           [EMAIL PROTECTED]

                       A daily view on Internet Attacks
                       https://www.ecsirt.net/sensornet

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to