Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
On 05/12/2018 00:50, Viktor Dukhovni wrote: On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote: Care to create a PR against the "master" branch? Something along the lines of: "Provided chain ends with untrusted self-signed certificate" or better. Here "untrusted" might mean not trusted for the requested purpose, but more precise is not always more clear. Perhaps s/untrusted/unknown/ as in "Provided chain ends with unknown self-signed certificate". I don't see why "unknown" is better, it could under certain conditions be "known", but not trusted. Unknown would differ from untrusted in cases where there is some setting indicating that some certificates in the CA directory are trusted only for some/no purposes. This could (in current or future code) represent things such as the trust bits in "Trusted Certificate" files. Or even better, two different error codes: - "Only self-signed end certificate provided" - "Provided chain ends with unknown root certificate" That already exists: crypto/x509/x509_txt.c: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: return "self signed certificate"; case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: return "self signed certificate in certificate chain"; In that case, maybe change the text to: "Provided chain ends with an unknown and thus untrusted root certificate" This would capture both the fact that the root is unknown (not in the CA stores configured/loaded) and that this is the specific fact causing it to be untrusted. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote: > > Care to create a PR against the "master" branch? Something > > along the lines of: > > > > "Provided chain ends with untrusted self-signed certificate" > > > > or better. Here "untrusted" might mean not trusted for the requested > > purpose, but more precise is not always more clear. > > Perhaps s/untrusted/unknown/ as in > > "Provided chain ends with unknown self-signed certificate". I don't see why "unknown" is better, it could under certain conditions be "known", but not trusted. > Or even better, two different error codes: > > - "Only self-signed end certificate provided" > > - "Provided chain ends with unknown root certificate" That already exists: crypto/x509/x509_txt.c: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: return "self signed certificate"; case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: return "self signed certificate in certificate chain"; -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
> "Provided chain ends with unknown self-signed certificate". I like this. IMHO "unrecognized" would be more confusing. I hope the team makes up their mind quickly. On 12/4/18, 6:17 PM, "openssl-users on behalf of Michael Wojcik" wrote: > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jakob Bohm via openssl-users > Sent: Tuesday, December 04, 2018 08:15 > > Care to create a PR against the "master" branch? Something > > along the lines of: > > > > "Provided chain ends with untrusted self-signed certificate" > > > > or better. Here "untrusted" might mean not trusted for the requested > > purpose, but more precise is not always more clear. > > > Perhaps s/untrusted/unknown/ as in > > "Provided chain ends with unknown self-signed certificate". Yes, that might be better. Or maybe "unrecognized". Of course there's scope for someone to misinterpret regardless of which term is used. I can suggest various alternatives in the PR and let the team decide. > Or even better, two different error codes: > > - "Only self-signed end certificate provided" > > - "Provided chain ends with unknown root certificate" > > (Deciding which one keeps the old error code is left as > an exercise). I can raise that as a possibility too, in the PR. Obviously it's a bit more work than simply changing the existing text. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users smime.p7s Description: S/MIME cryptographic signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jakob Bohm via openssl-users > Sent: Tuesday, December 04, 2018 08:15 > > Care to create a PR against the "master" branch? Something > > along the lines of: > > > > "Provided chain ends with untrusted self-signed certificate" > > > > or better. Here "untrusted" might mean not trusted for the requested > > purpose, but more precise is not always more clear. > > > Perhaps s/untrusted/unknown/ as in > > "Provided chain ends with unknown self-signed certificate". Yes, that might be better. Or maybe "unrecognized". Of course there's scope for someone to misinterpret regardless of which term is used. I can suggest various alternatives in the PR and let the team decide. > Or even better, two different error codes: > > - "Only self-signed end certificate provided" > > - "Provided chain ends with unknown root certificate" > > (Deciding which one keeps the old error code is left as > an exercise). I can raise that as a possibility too, in the PR. Obviously it's a bit more work than simply changing the existing text. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
On 01/12/2018 21:53, Viktor Dukhovni wrote: On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: Are there compatibility concerns around changing error message text for which users may have created regex patterns in scripts? I agree the text could be better, but not sure in what releases if any to change the text, since the change may cause issues for some users. Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release. Care to create a PR against the "master" branch? Something along the lines of: "Provided chain ends with untrusted self-signed certificate" or better. Here "untrusted" might mean not trusted for the requested purpose, but more precise is not always more clear. Perhaps s/untrusted/unknown/ as in "Provided chain ends with unknown self-signed certificate". Or even better, two different error codes: - "Only self-signed end certificate provided" - "Provided chain ends with unknown root certificate" (Deciding which one keeps the old error code is left as an exercise). (Distinguishing a self-siged end cert from a self-signed root when no other certificate is provided is also left as an exercise). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
LOL. Amen to that. It has gotten a WHOLE lot better. I started with OpenSSL somewhere around 2010 and the documentation was EXTREMELY sparse to say the list. Lots of functions documented as "under construction." Charles -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Michael Wojcik Sent: Monday, December 3, 2018 10:58 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Charles Mills > Sent: Monday, December 03, 2018 10:53 > > I appreciate it. OpenSSL is of course a great product but it can be a little > mystifying to debug. If I were ever to write a book about OpenSSL, "a great product but a little mystifying" would be an appropriate epigraph. Maybe Ivan should use it for the next edition of his OpenSSL Cookbook. (Recommended, by the way, or its larger sibling Bulletproof TLS; find them at feistyduck.com.) Not that it hasn't gotten better over the years: better encapsulation and abstraction, a lot more convenience functionality, a lot more explanation and samples on the OpenSSL wiki (which I think didn't even exist when I first started using OpenSSL). I have great appreciation for the team's efforts. But SSL/TLS is a great big ball of hair to begin with, and while I have tremendous respect for Eric Young, Steven Hensen, and the rest of the original contributors, the OpenSSL source is not exactly a monument to readability. (Though even in the early versions there were some important steps in that direction, like mostly consistent, safe naming conventions for external identifiers, thank goodness.) -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
> On Dec 3, 2018, at 1:47 PM, Sands, Daniel via openssl-users > wrote: > > Just wondering, is there a different error for an untrusted cross- > signed root? If it's the same error, then maybe remove "self-signed" > from the above message too, because that would not always be the case > either. A cross-signed CA certificate is not self-signed (or even self-issued), the two are mutually exclusive: This specification covers two classes of certificates: CA certificates and end entity certificates. CA certificates may be further divided into three classes: cross-certificates, self-issued Cooper, et al. Standards Track[Page 12] RFC 5280PKIX Certificate and CRL ProfileMay 2008 certificates, and self-signed certificates. Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs. Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self- signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths. End entity certificates are issued to subjects that are not authorized to issue certificates. In OpenSSL there's no such thing as a "cross-signed root", the constructed chain contains a leaf certificate, some set of cross-signed or self-issued intermediate certificates, and finally a self-signed "root" (ignoring for the moment support for "partial chains" and DANE). -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Charles Mills > Sent: Monday, December 03, 2018 10:53 > > I appreciate it. OpenSSL is of course a great product but it can be a little > mystifying to debug. If I were ever to write a book about OpenSSL, "a great product but a little mystifying" would be an appropriate epigraph. Maybe Ivan should use it for the next edition of his OpenSSL Cookbook. (Recommended, by the way, or its larger sibling Bulletproof TLS; find them at feistyduck.com.) Not that it hasn't gotten better over the years: better encapsulation and abstraction, a lot more convenience functionality, a lot more explanation and samples on the OpenSSL wiki (which I think didn't even exist when I first started using OpenSSL). I have great appreciation for the team's efforts. But SSL/TLS is a great big ball of hair to begin with, and while I have tremendous respect for Eric Young, Steven Hensen, and the rest of the original contributors, the OpenSSL source is not exactly a monument to readability. (Though even in the early versions there were some important steps in that direction, like mostly consistent, safe naming conventions for external identifiers, thank goodness.) -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
On Sat, 2018-12-01 at 15:53 -0500, Viktor Dukhovni wrote: > On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text could be better, but not sure in what releases > > > if any to change the text, since the change may cause issues > > > for some users. > > > > Sure, this is always a concern. Maybe the change could be > > considered for OpenSSL 3.0, since that's a major release. > > Care to create a PR against the "master" branch? Something > along the lines of: > > "Provided chain ends with untrusted self-signed certificate" > > or better. Here "untrusted" might mean not trusted for the requested > purpose, but more precise is not always more clear. Just wondering, is there a different error for an untrusted cross- signed root? If it's the same error, then maybe remove "self-signed" from the above message too, because that would not always be the case either. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
I appreciate it. OpenSSL is of course a great product but it can be a little mystifying to debug. I am a developer and I understand the problem of "layering" and virtualization, where the component that realizes there is a problem is so far removed that it does not know what the underlying real problem is. That said, I would suggest that "Provided chain ends with untrusted self-signed certificate" still does not really convey "no relevant CA certificate found in the provided path." Charles -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Michael Wojcik Sent: Monday, December 3, 2018 7:22 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Saturday, December 01, 2018 13:53 > > On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text could be better, but not sure in what releases > > > if any to change the text, since the change may cause issues > > > for some users. > > > > Sure, this is always a concern. Maybe the change could be considered for > > OpenSSL 3.0, since that's a major release. > > Care to create a PR against the "master" branch? Something > along the lines of: > > "Provided chain ends with untrusted self-signed certificate" > > or better. Here "untrusted" might mean not trusted for the requested > purpose, but more precise is not always more clear. I should be able to do that. (My OpenSSL contributor paperwork is still in progress, but since this PR wouldn't include any actual code, I don't think I need to wait for that.) May be a few days before I get a chance to do it. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Saturday, December 01, 2018 13:53 > > On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text could be better, but not sure in what releases > > > if any to change the text, since the change may cause issues > > > for some users. > > > > Sure, this is always a concern. Maybe the change could be considered for > > OpenSSL 3.0, since that's a major release. > > Care to create a PR against the "master" branch? Something > along the lines of: > > "Provided chain ends with untrusted self-signed certificate" > > or better. Here "untrusted" might mean not trusted for the requested > purpose, but more precise is not always more clear. I should be able to do that. (My OpenSSL contributor paperwork is still in progress, but since this PR wouldn't include any actual code, I don't think I need to wait for that.) May be a few days before I get a chance to do it. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
On Fri 2018-11-30 20:38:01 -0500, Viktor Dukhovni wrote: > Are there compatibility concerns around changing error message > text for which users may have created regex patterns in scripts? I advocate making the error message in english more comprehensible. Michael Wojcik's suggestion of "Untrusted self-signed certificate in certificate chain" more accurately reflects the semantics of this error message. The error message is X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, whic his #defined in x509_vfy.h as 19, and 19 even shows up in the specific error message. Scripts should be keying on this value, not on the human-readable text. Scripts which expect certain human-readable text will fail when the text is localized (not done in OpenSSL yet, but perhaps it should be at some point, it certainly is in glibc and other libraries), or when the text is improved to be more accurate (this case). We shouldn't let those scripts stop us from improving OpenSSL going forward at least, though i can understand if folks are more reluctant to change old verisions in a point release. --dkg signature.asc Description: PGP signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > Are there compatibility concerns around changing error message > > text for which users may have created regex patterns in scripts? > > > > I agree the text could be better, but not sure in what releases > > if any to change the text, since the change may cause issues > > for some users. > > Sure, this is always a concern. Maybe the change could be considered for > OpenSSL 3.0, since that's a major release. Care to create a PR against the "master" branch? Something along the lines of: "Provided chain ends with untrusted self-signed certificate" or better. Here "untrusted" might mean not trusted for the requested purpose, but more precise is not always more clear. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Friday, November 30, 2018 18:38 > > Are there compatibility concerns around changing error message > text for which users may have created regex patterns in scripts? > > I agree the text could be better, but not sure in what releases > if any to change the text, since the change may cause issues > for some users. Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
> On Nov 30, 2018, at 7:33 PM, Sands, Daniel via openssl-users > wrote: > >> Viktor's points are all good ones, but considering how often this >> particular message causes confusion for users and developers (at >> least in my experience), I wonder whether changing the text to >> "Untrusted self-signed certificate in certificate chain" would help. >> That would suggest to the user that the problem might be an issue >> with the trust store. >> > My .02: The message "Self-signed certificate in certificate chain" > does make it sound like OpenSSL rejected the certificate precisely > because it's self signed, and not because it's an untrusted root > certificate. I would suggest a less misleading reason, at least. Are there compatibility concerns around changing error message text for which users may have created regex patterns in scripts? I agree the text could be better, but not sure in what releases if any to change the text, since the change may cause issues for some users. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
On Fri, 2018-11-30 at 23:55 +, Michael Wojcik wrote: > > "Self-signed certificate in certificate chain" does not to me > > > convey "No > > > certificate hash links" (or "CA certificate not found in hash > > > links"). > > > Viktor's points are all good ones, but considering how often this > particular message causes confusion for users and developers (at > least in my experience), I wonder whether changing the text to > "Untrusted self-signed certificate in certificate chain" would help. > That would suggest to the user that the problem might be an issue > with the trust store. > My .02: The message "Self-signed certificate in certificate chain" does make it sound like OpenSSL rejected the certificate precisely because it's self signed, and not because it's an untrusted root certificate. I would suggest a less misleading reason, at least. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users