Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl: set X509_V_FLAG_PARTIAL_CHAIN #4655

Closed
wants to merge 2 commits into from
Closed

Conversation

@bagder
Copy link
Member

bagder commented Nov 29, 2019

Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.

Other TLS backends already accept partial chains.

Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html

@bagder bagder added the SSL/TLS label Nov 29, 2019
@bagder
Copy link
Member Author

bagder commented Nov 29, 2019

Outstanding question: should I provide a flag to let users disable this? We don't do that for other TLS backends...

@jay
Copy link
Member

jay commented Nov 30, 2019

Why don't they do this by default, is it a security issue? We should know what the argument against it as a default is before doing anything. Looks like I'm not the only one, openssl/openssl#7871

@bagder
Copy link
Member Author

bagder commented Nov 30, 2019

Well, it changes behavior slightly since it'll stop traversing the chain at the intermediate instead of continue through the whole thing so that could be reason enough - not just the security angle. For curl, I suspect it might change how CURLINFO_CERTINFO behaves, for example.

@jay
Copy link
Member

jay commented Nov 30, 2019

Well, it changes behavior slightly since it'll stop traversing the chain at the intermediate instead of continue through the whole thing so that could be reason enough - not just the security angle. For curl, I suspect it might change how CURLINFO_CERTINFO behaves, for example.

Looks like it varies by version.

OpenSSL 1.0.2 doc:

With OpenSSL 1.0.2, chain construction continues as long as there are additional trusted issuers in the trust store, and the last trusted issuer becomes the trust-anchor. Thus, even when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may still be anchored by a root CA.

OpenSSL 1.1.1 doc:

With OpenSSL 1.1.0 and later and <X509_V_FLAG_PARTIAL_CHAIN> set, chain construction stops as soon as the first certificate from the trust store is added to the chain, whether that certificate is a self-signed "root" certificate or a not self-signed intermediate certificate. Thus, when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may be shorter than it otherwise would be without the X509_V_FLAG_PARTIAL_CHAIN flag.

Maybe it should be an SSL option and document it as only applying to openssl
CURLSSLOPT_ALLOW_PARTIAL_CHAIN
--ssl-allow-partial-chain

@bagder
Copy link
Member Author

bagder commented Dec 1, 2019

Maybe it should be an SSL option and document it as only applying to openssl
CURLSSLOPT_ALLOW_PARTIAL_CHAIN

Right, which was what I also asked! 😁 Although I was considering doing the option the other way around, since supporting a partial chain by default might unify the OpenSSL better with the other backends... and for other tools that already set it by default, like wget.

@danielgustafsson
Copy link
Member

danielgustafsson commented Dec 2, 2019

..doing the option the other way around, since supporting a partial chain by default might unify the OpenSSL better with the other backends

👍 on doing it this way, the more we can get the TLS backends to operate in a similar fashion, and thus reduce user confusion, the better.

bagder added 2 commits Dec 2, 2019
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.

Other TLS backends already accept partial chains.

Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
Closes #4655
@bagder bagder force-pushed the bagder/openssl-partial-chain branch from b2930cc to 60b811b Dec 2, 2019
@bagder bagder closed this in 564d88a Dec 3, 2019
@bagder bagder deleted the bagder/openssl-partial-chain branch Dec 3, 2019
jay added a commit that referenced this pull request Dec 6, 2019
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS
and OS400 package spec.

Also I added the option to the NameValue list in the tool even though it
isn't exposed as a command-line option (...yet?). (NameValue stringizes
the option name for the curl cmd -> libcurl source generator)

Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN.

Ref: #4655
@lock lock bot locked as resolved and limited conversation to collaborators Mar 10, 2020
@mkauf
Copy link
Contributor

mkauf commented May 4, 2020

@bagder : There's a bug in the release notes at https://curl.haxx.se/changes.html , "openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains" points to https://curl.haxx.se/bug/?i=4665 instead of https://curl.haxx.se/bug/?i=4655

@bagder
Copy link
Member Author

bagder commented May 4, 2020

Thanks, fixing!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.