Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
Inline. -- Erwann ABALEA Le 07/12/2012 11:26, Ralph Holz a écrit : Hi, Yes, that clarifies the issue for me. One thing I am wondering about now (as a user) would be how to get openssl to disregard any local trusted cert list - i.e. how do I get it to act on the provided CAFile only? "openssl -CAfile myfile -CApath /nonexistent" should do it. Do I need to remove the complete local root store? Or can I set the CAPath to "." and then openssl will not fall back to default settings? Setting -CApath to '.' works also. I think that information is what users are really looking for. Ralph On 12/06/2012 09:32 PM, Chris Palmer wrote: On Thu, Dec 6, 2012 at 12:00 PM, Erwann Abalea wrote: There's the same behaviour with -CAfile. If -CAfile isn't specified, then the default platform CA file is used (by default, /usr/lib/ssl/cert.pem). This is true for verify, ocsp, smime, and cms. Oh, right. New diff attached. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
Hi, Yes, that clarifies the issue for me. One thing I am wondering about now (as a user) would be how to get openssl to disregard any local trusted cert list - i.e. how do I get it to act on the provided CAFile only? Do I need to remove the complete local root store? Or can I set the CAPath to "." and then openssl will not fall back to default settings? I think that information is what users are really looking for. Ralph On 12/06/2012 09:32 PM, Chris Palmer wrote: > On Thu, Dec 6, 2012 at 12:00 PM, Erwann Abalea > wrote: > >> There's the same behaviour with -CAfile. If -CAfile isn't specified, then >> the default platform CA file is used (by default, /usr/lib/ssl/cert.pem). >> This is true for verify, ocsp, smime, and cms. > > Oh, right. New diff attached. > -- Ralph Holz Network Architectures and Services Technische Universität München Phone +49 89 28918043 http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
On Thu, Dec 6, 2012 at 12:00 PM, Erwann Abalea wrote: > There's the same behaviour with -CAfile. If -CAfile isn't specified, then > the default platform CA file is used (by default, /usr/lib/ssl/cert.pem). > This is true for verify, ocsp, smime, and cms. Oh, right. New diff attached. verify.pod-HEAD.diff Description: Binary data
Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
There's the same behaviour with -CAfile. If -CAfile isn't specified, then the default platform CA file is used (by default, /usr/lib/ssl/cert.pem). This is true for verify, ocsp, smime, and cms. I personally don't think it's unexpected for the openssl app. I'd even like it to be extended to other parts (ts, s_client, s_server, ...). Documented, of course. But only for the app. -- Erwann ABALEA Le 06/12/2012 20:39, Chris Palmer a écrit : On Thu, Dec 6, 2012 at 2:16 AM, Ralph Holz wrote: -CAfile fileA file of trusted certificates. "The lookup first looks in the list of untrusted certificates and if no match is found the remaining lookups are from the trusted certificates. The root CA is always looked up in the trusted certificate list: if the certificate to verify is a root certificate then an exact match must be found in the trusted list." This has led me to believe -CAfile would cause openssl to ignore a default path to certs. I am surprised CAPath is still evaluated if you indicate a CAFile. However, as strace shows: I've attached a diff against HEAD for verify.pod. Is it any good? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
On Thu, Dec 6, 2012 at 2:16 AM, Ralph Holz wrote: > -CAfile fileA file of trusted certificates. > > "The lookup first looks in the list of untrusted certificates and if no > match is found the remaining lookups are from the trusted certificates. > The root CA is always looked up in the trusted certificate list: if the > certificate to verify is a root certificate then an exact match must be > found in the trusted list." > > This has led me to believe -CAfile would cause openssl to ignore a > default path to certs. I am surprised CAPath is still evaluated if you > indicate a CAFile. However, as strace shows: I've attached a diff against HEAD for verify.pod. Is it any good? verify.pod-HEAD.diff Description: Binary data
Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
Hi, > See apps/apps.c, function setup_verify. It receives 2 arguments CAfile > and CApath. > Each one is processed independently, and if either one is NULL, its > corresponding default is used. > Thanks for the quick reply. The openssl docs at http://www.openssl.org/docs/apps/verify.html say: -CAfile fileA file of trusted certificates. "The lookup first looks in the list of untrusted certificates and if no match is found the remaining lookups are from the trusted certificates. The root CA is always looked up in the trusted certificate list: if the certificate to verify is a root certificate then an exact match must be found in the trusted list." This has led me to believe -CAfile would cause openssl to ignore a default path to certs. I am surprised CAPath is still evaluated if you indicate a CAFile. However, as strace shows: http://pastebin.com/Ckq67h0D CAPath is indeed evaluated as you say. So would you argue that this behaviour should be expected? If so, I would argue it should be stated in the docs (and not just in the code). Ralph __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
Bonjour, See apps/apps.c, function setup_verify. It receives 2 arguments CAfile and CApath. Each one is processed independently, and if either one is NULL, its corresponding default is used. -- Erwann ABALEA Le 06/12/2012 10:38, Ralph Holz a écrit : Good day, I was using openssl verify as described in the Pastebin link to validate a cert, using a custom root store indicated with the -CAfile option. The custom root store contains a Comodo root, the cert to be validated is signed by Equifax. The expected result would be for that check to fail. However, it does not: it verifies with "OK". This happens on Ubuntu and very likely also on Fedora, which makes me think it might be an upstream issue. Both OS have default root stores configured for openssl. I would like to ask for confirmation from this ML if this kind of behaviour is unexpected as I would expect -CAfile to overwrite any default root store: http://pastebin.com/3CZHbKYg https://bugzilla.redhat.com/show_bug.cgi?id=884305 Am I missing something or is this a bug? If it is a bug - this would mean you verify against your distro's root store even if you think you have chosen your own roots only. Also, would the same thing happen if you use libssl-dev? Thanks for any clarification on this issue. Thanks, Ralph __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
