I thing yours Q is about responsibility.
If CA issues for "Some Private Org" such type of certificate, which
allows (key usage) to sign other certificates, then is this CA
responsible for it.
And the other thing: if POP3S library don't check CN (what IMHO should),
then set as trusted only the (on end) correct pop3.live.com certificate
and you do not need to take care about intermediate issuer.
DNSsec as mandatory could help too. And use "chattr +i" on
/etc/hosts; host.conf; resolv.conf
--kapetr
Dne 9.2.2013 17:47, Angelin Lalev napsal(a):
I'm not a professional C programmer, but I occasionaly use C to create
administrative "scripts". I'm sorry
if I'm asking for anything trivial and will be very thankful if You
direct me to the relevant documentation.
The question:
I'm trying to obtain SSL certificate for POP3S server of live.com to
use with POP3S library (libspopc).
openssl s_client -connect pop3.live.com:995 -showcerts
produces:
CONNECTED(00000003)
depth=2 CN = Microsoft Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=pop3.live.com
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure
Server Authority
-----BEGIN CERTIFICATE-----
............................................................
-----END CERTIFICATE-----
1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure
Server Authority
i:/CN=Microsoft Internet Authority
-----BEGIN CERTIFICATE-----
..........................................................
-----END CERTIFICATE-----
2 s:/CN=Microsoft Internet Authority
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
-----BEGIN CERTIFICATE-----
..............................................................
-----END CERTIFICATE-----
So we have CybertTrust Global Root ------signs-----> Microsoft
Internet Authority-----signs-----> Microsoft Secure Server Authority
-------signs-----> pop3.live.com
(valid until 2018)
(valid until 2014) (valid
until mid-2013)
I had the smart idea of adding the CyberTrust Global Root to my
embedded application and use it to validate the certificate chain.
There is a problem though. If CyberTrust Global Root signs other
certificates, this verification will result any certificate, signed by
CyberTrust to be valid.
How should I approach towards a solution of this problem. Look at CNs?
What if something like this happens
CyberTrust Global Root -------------------> Signs --------------> Some
Private Org -----------Signs fake ------------> pop3.live.com
For example my POP3S library doesn't seem to mind if the address i'm
connecting is something different than pop3.live.com:995. I did a
little manipulation of
/etc/hosts and now I'm able to connect to the same server (same IP)
under different domain name.
Are there some standard library functions that automate this process.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
