On 2/14/2012 6:46 PM, Timothy Kay wrote: > We have been baffled for a long time that curl cannot > access websites that work just fine in the browser > (unless we use --insecure, of course). The curl > documentation points you to > http://curl.haxx.se/docs/sslcerts.html, which explains > that your server has out of date certificates. It's not > true! The problem is that the troublesome websites send > the certificate chain that is out of order, and openssl > fails to validate these chains, even though > /etc/ssl/certs contains appropriate root certificates. > > ... > (large example demonstrating that > https://catalog.cincinnatilibrary.org exhibits this > behavior omitted, see the top post for that).
It seems this all comes down to the Postel principle (RFC760 section 3.2). Should OpenSSL (the code, not the people) strictly insist on the other end of a SSL/TLS connection obeying the letter of the specifications by sending certificates in hierarchical order from end entity to trusted certificate, or should OpenSSL be liberal and accept out of order certificate chains as yet another real world "quirk". It should be noted that a similar concern applies to the certificates found in PKCS#7 and S/MIME signatures, though I have not checked how OpenSSL's PKCS#7 code handles certificate ordering in that "protocol". It should also be noted that a quick test shows that recent versions of both Mozilla and Internet Explorer accept the example site as highly secure without any warnings or errors about the certificate chain, so this seems to be a commonly accepted quirk for SSL. -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
