Terminate chain at intermediate certificate.
Hi, Is there a way to instruct openssl to treat an intermediate CA as a trusted CA, which need not have its issuer checked i.e. it will be the last certificate of the certificate chain. It seems that openssl insists on always terminating a chain at a self-signed certificate. However, in this case, we want to limit ourselves in a sub-tree of the CA and not expose ourselves to other branches of the hierarchy that are not relevant to us. We have no control over the generation of the certificates and we can't solve the problem by restructuring or recreating the CA hierarchy. To make things easier I will demonstrate with an example. Lets define 3 certificates A, B, and C. A is a self-signed root CA (root ca) B is a sub CA signed by A. (intermediate ca) C is a server certificate signed by B. (server certificate) A -> B -> C We would like to treat B as the end of the chain and never install A anywhere. As far as our setup is concerned, B is the root CA, it just happens to not be self-signed. We want to be able to connect a client, which trusts 'B', to a server that only has 'C'. 'A' should not enter the picture at all. What is the correct way to achieve this with openssl? Thanks, Dimitrios Siganos __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Terminate chain at intermediate certificate.
On Wed, Nov 10, 2010 at 11:02:05PM +, Dimitrios Siganos wrote: > > You can turn the can't find local issuer error for B, into an > > OK in the verification callback by specifically whitelisting > > the the fingerprint of B, or finding B in a suitable store. > > So the solution is: > 1) Maintain a list of trusted fingerprints (trusted intermediate CAs). > 2) On UNABLE_TO_GET_ISSUER_CERT_LOCALLY (in verify callback), return 1, > if the cert's fingerprint is listed in in my trusted fingerprints list. Yes, something along these lines. > Does that mean that the verification can continue as normal and all the > usual tests, not yet performed, will be performed as usual? Yes. > >> We want to be able to connect a client, which trusts 'B', to a server > >> that only has 'C'. 'A' should not enter the picture at all. > >> > >> What is the correct way to achieve this with openssl? > > > > If you are coding the SSL client, you can customize the verification > > callbacks. The default verification callbacks check for a trusted > > self-signed root. This may be easier if the server presents "B+C", > > not just "C" as its cert chain. > > Yes, I am coding the SSL client only. My client must work in all > possible scenarios. I have no control over the server(s) and don't know > how they will present their certificates. Are you saying that the > solution above is inadequate? If the server only presents "C", then the verification callbacks won't necessarily find "B", whose public key you need to verify the chain. I've not tested this case, so I don't know whether OpenSSL will find "B" if it is listed in the "CAfile" or "CApath". You may need to play with the not very extensively documented X509_STORE functions if "B" is not automatically found. It should be possible, may be more work. This concern is moot if the intermediate "B" is automatically found by the default X509_STORE logic, even when the server only presents "C" as its trust chain. You'll have to test this, or perhaps someone else on the list knows the answer... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Terminate chain at intermediate certificate.
On Wed, Nov 10, 2010, Dimitrios Siganos wrote: > Hi, > > Is there a way to instruct openssl to treat an intermediate CA as a > trusted CA, which need not have its issuer checked i.e. it will be the > last certificate of the certificate chain. > > It seems that openssl insists on always terminating a chain at a > self-signed certificate. However, in this case, we want to limit > ourselves in a sub-tree of the CA and not expose ourselves to other > branches of the hierarchy that are not relevant to us. We have no > control over the generation of the certificates and we can't solve the > problem by restructuring or recreating the CA hierarchy. > > To make things easier I will demonstrate with an example. Lets define 3 > certificates A, B, and C. > > A is a self-signed root CA (root ca) > B is a sub CA signed by A. (intermediate ca) > C is a server certificate signed by B. (server certificate) > > A -> B -> C > > We would like to treat B as the end of the chain and never install A > anywhere. As far as our setup is concerned, B is the root CA, it just > happens to not be self-signed. > > We want to be able to connect a client, which trusts 'B', to a server > that only has 'C'. 'A' should not enter the picture at all. > > What is the correct way to achieve this with openssl? > There is an EXPERIMENTAL change in the verify algorithm present in the unstable branch of OpenSSL only. In that if you change the trust settings of an intermediate certificate (see x509 utility) and the chain cannot be completed it will still be regarded as successful. The main change is: http://cvs.openssl.org/chngview?cn=19322 This could be backported to 1.0.x at some point once it has been tested more. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Terminate chain at intermediate certificate.
On 10/11/10 22:30, Victor Duchovni wrote: > On Wed, Nov 10, 2010 at 10:10:48PM +, Dimitrios Siganos wrote: > You can turn the can't find local issuer error for B, into an > OK in the verification callback by specifically whitelisting > the the fingerprint of B, or finding B in a suitable store. So the solution is: 1) Maintain a list of trusted fingerprints (trusted intermediate CAs). 2) On UNABLE_TO_GET_ISSUER_CERT_LOCALLY (in verify callback), return 1, if the cert's fingerprint is listed in in my trusted fingerprints list. Does that mean that the verification can continue as normal and all the usual tests, not yet performed, will be performed as usual? >> We want to be able to connect a client, which trusts 'B', to a server >> that only has 'C'. 'A' should not enter the picture at all. >> >> What is the correct way to achieve this with openssl? > > If you are coding the SSL client, you can customize the verification > callbacks. The default verification callbacks check for a trusted > self-signed root. This may be easier if the server presents "B+C", > not just "C" as its cert chain. Yes, I am coding the SSL client only. My client must work in all possible scenarios. I have no control over the server(s) and don't know how they will present their certificates. Are you saying that the solution above is inadequate? Thank you very much for your quick reply. Dimitrios Siganos __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Terminate chain at intermediate certificate.
On Wed, Nov 10, 2010 at 10:10:48PM +, Dimitrios Siganos wrote: > Hi, > > Is there a way to instruct openssl to treat an intermediate CA as a > trusted CA, which need not have its issuer checked i.e. it will be the > last certificate of the certificate chain. > > It seems that openssl insists on always terminating a chain at a > self-signed certificate. However, in this case, we want to limit > ourselves in a sub-tree of the CA and not expose ourselves to other > branches of the hierarchy that are not relevant to us. We have no > control over the generation of the certificates and we can't solve the > problem by restructuring or recreating the CA hierarchy. You typicall have control of certificate chain verification via verification callbacks (at least in SSL). You can insist that the intermediate certificate in question be present in the trust chain. > A is a self-signed root CA (root ca) > B is a sub CA signed by A. (intermediate ca) > C is a server certificate signed by B. (server certificate) > > A -> B -> C > > We would like to treat B as the end of the chain and never install A > anywhere. As far as our setup is concerned, B is the root CA, it just > happens to not be self-signed. You can turn the can't find local issuer error for B, into an OK in the verification callback by specifically whitelisting the the fingerprint of B, or finding B in a suitable store. > We want to be able to connect a client, which trusts 'B', to a server > that only has 'C'. 'A' should not enter the picture at all. > > What is the correct way to achieve this with openssl? If you are coding the SSL client, you can customize the verification callbacks. The default verification callbacks check for a trusted self-signed root. This may be easier if the server presents "B+C", not just "C" as its cert chain. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Terminate chain at intermediate certificate.
Hi, Is there a way to instruct openssl to treat an intermediate CA as a trusted CA, which need not have its issuer checked i.e. it will be the last certificate of the certificate chain. It seems that openssl insists on always terminating a chain at a self-signed certificate. However, in this case, we want to limit ourselves in a sub-tree of the CA and not expose ourselves to other branches of the hierarchy that are not relevant to us. We have no control over the generation of the certificates and we can't solve the problem by restructuring or recreating the CA hierarchy. To make things easier I will demonstrate with an example. Lets define 3 certificates A, B, and C. A is a self-signed root CA (root ca) B is a sub CA signed by A. (intermediate ca) C is a server certificate signed by B. (server certificate) A -> B -> C We would like to treat B as the end of the chain and never install A anywhere. As far as our setup is concerned, B is the root CA, it just happens to not be self-signed. We want to be able to connect a client, which trusts 'B', to a server that only has 'C'. 'A' should not enter the picture at all. What is the correct way to achieve this with openssl? Thanks, Dimitrios Siganos __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org