Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux SslStream sends intermediate certificates in wrong order #28813

Closed
bartonjs opened this issue Feb 28, 2019 · 1 comment
Closed

Linux SslStream sends intermediate certificates in wrong order #28813

bartonjs opened this issue Feb 28, 2019 · 1 comment
Labels
area-System.Net.Security os-linux Linux OS (any supported distro)
Milestone
2.1.x

Comments

@bartonjs
Copy link
Member

When a certificate chain has 4 or more elements (end-entity -> low issuer -> ... -> high issuer -> root) the intermediate certificates are written in the wrong order on the wire.

  • Create a certificate whose chain has 4 or more elements
  • Trust the root
  • Use the end-entity certificate in a server-role SslStream
  • Connect to the endpoint using openssl s_client (e.g. openssl s_client -connect localhost:8000)
  • Observe the certificate ordering

Expected:

---
Certificate chain
 0 s:/CN=End-Entity
   i:/CN=Low Issuer
 1 s:/CN=Low Issuer
   i:/CN=High Issuer
 2 s:/CN=High Issuer
   i:/CN=Trusted Root
---

Actual:

---
Certificate chain
 0 s:/CN=End-Entity
   i:/CN=Low Issuer
 1 s:/CN=High Issuer
   i:/CN=Trusted Root
 2 s:/CN=Low Issuer
   i:/CN=High Issuer
---

This puts our "long chain" implementation out of compliance with https://tools.ietf.org/html/rfc5246#section-7.4.2

   certificate_list
      This is a sequence (chain) of certificates.  The sender's
      certificate MUST come first in the list.  Each following
      certificate MUST directly certify the one preceding it.  [...]
@bartonjs bartonjs self-assigned this Feb 28, 2019
@bartonjs
Copy link
Member Author

bartonjs commented Mar 7, 2019

This will be fixed in the next releases (2.1.10, 2.2.4, 3.0 preview 4)

@bartonjs bartonjs closed this as completed Mar 7, 2019
@msftgits msftgits transferred this issue from dotnet/corefx Feb 1, 2020
@msftgits msftgits added this to the 2.1.x milestone Feb 1, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Dec 14, 2020
@bartonjs bartonjs removed their assignment Jul 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Net.Security os-linux Linux OS (any supported distro)
Projects
None yet
Milestone
2.1.x
Development

No branches or pull requests
2 participants
@msftgits @bartonjs