On 2021-06-18 17:07, Viktor Dukhovni wrote:
On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
Now the client simply works backwards through that list, checking if
each certificate signed the next one or claims to be signed by a
certificate in /etc/certs. This lookup is done based on the complete
distinguished name, not just the CN part of it. At every step, the
certificate may be referenced by a "key identifier" instead of the
distinguished name, and some clients will compare that instead of the
distinguished name.
All extant (non-EOL) OpenSSL releases prioritise the local trust-store
over the remotely provided CA certificate list when building the
certificate chain. The remote chain is used only when no match is found
in the trust store. As as a matching issuer is found in the trust store
all further lookups are from the trust store only.
If the local trust store contains only "root CAs", and the remote peer
provides the rest of the chain, with no overlap in the subject
distinguished names, the behaviour is not observably different from
Jakob's description.
Differences are observed once the local trust store contains some
intermediate certificates or the remote chain provides a cross cert for
which the local store instead contains a corresponding (same subject
name and keyid) self-signed root, or the cross cert is in the local
store, but the remote peer sends a root. In all such cases chain
construction uses the certs from the trust store. This tends to produce
less surprising (and ideally better, or at least what you implicitly
asked for) results.
Interesting, earlier today, I observed the confusing effect of
"openssl verify" treating -trusted_first as always on while keeping
document wording suggesting it is an actual option, not historical
remnants of yet another feature removed by the new OpenSSL
management.
--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
<tel:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
