RE: Cert chain verification failures
From: owner-openssl-us...@openssl.org On Behalf Of David Coulson Sent: Wednesday, 30 March, 2011 10:24 On 3/30/11 8:33 AM, Crypto Sal wrote: David: Firefox caches that information, so that it can use them later if you view a similar certificate hierarchy. If you view the Firefox Certificate Manager you should see Software Security Device vs. that of Built in Object next to each of the certificates in question outside of the Entrust Root CA, which should say 'Built In...'. Understood - Is there a way to mimic this functionality with OpenSSL via CAfile or CApath? So far not having much luck doing that. I pretty much want to put the root intermediate CA files somewhere and have my s_client test utilize those for chaining, rather than what the web server sends over. As the manpage says. For s_client: -CAfile with one PEM file containing all needed certs, or -CApath with a directory containing each cert in its own PEM file linked as, or directly named, a hash of the (canonical) subject. On Unix opensslinstall/bin/c_rehash should do this for you; on Windows I don't have any easy way and just prefer -CAfile. For your own app, call SSL_[CTX_]load_verify_locations with the same argument values (derived however you like). But one thing that isn't stressed: openssl insists on verifying up to a root always. Even if an intermediate cert is in the truststore that isn't enough to verify the chain. And I don't think openssl will use the store to *override* what the server sends. It will *add* *missing* ones. Normally this shouldn't matter, because a given cert must always be the same; if altered, it's no longer valid. But when I looked briefly before at the s_client output and site you posted, there appeared to be two *different* certs for Digicert High Assurance EV Root CA -- same pubkey and SKID, but different validity and issuer/serial (at least). I'm not sure why, but look carefully at what/which you get. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cert chain verification failures
On 03/29/2011 01:16 PM, David Coulson wrote: On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm able to see a complete certificate chain. Where does it get that information from? David: Firefox caches that information, so that it can use them later if you view a similar certificate hierarchy. If you view the Firefox Certificate Manager you should see Software Security Device vs. that of Built in Object next to each of the certificates in question outside of the Entrust Root CA, which should say 'Built In...'. Bruce: You don't even need to use the 'showcerts' flag for 's_client' because as one can see by looking at the digits in the right most column, which is the certificate depth. Depth 0 is always the end entity/device certificate and everything else may be a part of the hierarchy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cert chain verification failures
On 3/30/11 8:33 AM, Crypto Sal wrote: David: Firefox caches that information, so that it can use them later if you view a similar certificate hierarchy. If you view the Firefox Certificate Manager you should see Software Security Device vs. that of Built in Object next to each of the certificates in question outside of the Entrust Root CA, which should say 'Built In...'. Understood - Is there a way to mimic this functionality with OpenSSL via CAfile or CApath? So far not having much luck doing that. I pretty much want to put the root intermediate CA files somewhere and have my s_client test utilize those for chaining, rather than what the web server sends over. David __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cert chain verification failures
David Coulson da...@davidcoulson.net writes: [...] OpenSSL has other ideas. First one validates fine, second one does not. I can't for the life of me figure out what the difference is. Any ideas? Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cert chain verification failures
On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm able to see a complete certificate chain. Where does it get that information from? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cert chain verification failures
David Coulson da...@davidcoulson.net writes: On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm able to see a complete certificate chain. Where does it get that information from? It'll be built in. Web browsers have an improbably large number of certificates (many of them trusted) automatically available in some way (Firefox has its own database, IE uses some part of the Windows certificate store). [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org