On Thu, Jan 07, 2021 at 09:31:17AM -0800, Aaron Gable wrote: > In cases where we expect OpenSSL to be validating the chain, we expect that > ISRG Root X1 is also in the trust store (unlike older versions of Android, > where we know that it hasn't been added). As such, there will be two > certificates in the chain which are also in the local trust store: ISRG > Root X1 and the expired DST Root CA X3. > > It is my understanding that OpenSSL 1.1.0+, with the `trusted_first` method > as the default chain-building method, will go through the following steps: > 1) Receive the chain "EE <-- R3 <-- ISRG Root X1 (cross-signed by DST Root > CA X3)" from the server > 2) Look to see if it can complete this chain using certificates from > `-CAfile`, `-CApath`, or `-trusted` > 3) See that ISRG Root X1 is already trusted > 4) Return this chain, which successfully verifies. > > The evidence that this works on OpenSSL 1.1.0+ comes from the very similar > situation this past May. In that case, many servers were serving the chain > "EE <-- Sectigo RSA Domain Validation Secure Server CA <-- USERTrust RSA > Certification Authority <-- AddTrust External CA Root". In that situation, > both the USERTrust RSA Certification Authority and the AddTrust External CA > Root were in various trust stores, and then the AddTrust External CA Root > expired. Clients which were using OpenSSL 1.1.0+ did not begin to fail at > that time, because they were still able to trust the USERTrust RSA > Certification Authority. Clients using OpenSSL 1.0.x were failing, because > they couldn't recognize that one of the intermediates in the chain was in > their own trust store. > > If this understanding is incorrect or missing something, we'd love to be > informed.
Yes, "trusted first" behaves that way and is on by default since 1.1.0 and can't be disabled. It was not clear to me that the X1 root was in the trust store if you use 1.1.0. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy