-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cert signed by CA with constraint 'CA:FALSE' are considered valid #5236
Comments
The OpenSSL utilities will sign a certificate without really looking at the signer's certificate. When verifying a certificate chain, OpenSSL library will see that an invalid CA signed the cert. Just like gnuTLS, etc. Are you sure that openssl did not do this? What version are you using? |
@arekkusu I think it would be helpful if you could attach the ca cert and server key+cert for which you see this behaviour. |
Yes I am quite sure. I have used the CA cert with 'CA:false' with OpenLDAP/openssl on CentOS 7 for month. Only recently noticed that OpenLDAP/gnutls in Ubuntu14/Ubuntu16 fails. Note the extension I used in my openssl config:
Let me generate cert + log I can share. |
What version of openssl is your ldap build using? |
Sorry I was unclear. "You don't need to share that information" I meant about generating and posting certs or a cert chain. Knowing the version used in your ldap config would be interesting. But this fundamentally comes down to an erroneous config file using a non-CA cert as a CA. Really old versions of openssl did not check this, current ones should. I will leave this open until we find out the openssl version used in the ldap server. |
Ok added the cert to my first post anyway... I confirm the behavior with following:
openssl s_client does return:
While it should be following if the check failed
GnuTLS returns:
|
1.0.2k is a bit outdated, but ... I'm stumped. Anyone else @openssl ? |
Just compiled latest (LTS) openssl and I still see the same behavior.
How to reproduce:
So I am either doing something wrong or it's is possibly an issue in OpenSSL. |
The newest release is 1.1.0g, which includes a near-complete rewrite of certificate verification. |
Yeah, but the "check CA flag" code seems to be in 1.0.2, for a very long time. Hence my confusion. |
IIRC we do not apply purpose checking to trusted certificates prior to 1.1.0 |
I can confirm the issue with openssl 1.0.1t and 1.0.2k, but not with 1.1.0g. |
Aha. That was the point I missed, thanks Ben. So this is a bug in 1.0.2 (or at least a mis-feature) and it's fixed in 1.1.0 We're not going to change the behavior in 1.0.2 I am going to close this. |
Sorry I did not realize I compiled the latest LTS and not the latest. I confirm everything is fine on openssl-1.1.0g Thanks a lot for your help ! |
For info this change in behaviour was introduced by this commit: 0daccd4. It applies to 1.1.0 and master only. So prior to that we don't check chain extensions for trusted certificates. |
Technically the certificate is not compliant with RFC 5280, if this is the config used:
From section 4.2.1.9 Basic Constraints:
That said, yes, OpenSSL should fail safe in this scenario. |
This issue has CVE-2021-3601 assigned. |
CVE was not issued by the OpenSSL CNA. CVE should be rejected. OpenSSL does not class this issue as a security vulnerability. The trusted CA store should not contain anything that the user does not trust to issue other certificates. |
The CVE was assigned to 1.0.2 specifically, at a time when it was already not supported by the OpenSSL Project. |
The project still analyses reports of vulnerabilities against 1.0.2 and continues to issue CVEs for it (the most recent one being CVE-2022-2068 which was published last month) |
CNA's are not allowed to assign a CVE name for any issue in a product covered by another CNA, even if it was unsupported. The CNA should first be approached and asked to assign a name, and any lack of response or dispute is then escalated to their root CNA. |
It was not my decision, I'm just a messanger, please talk with Red Hat Product Security directly: secalert@redhat.com |
We had the CVE reassigned to our CNA and published the rejection https://www.cve.org/CVERecord?id=CVE-2021-3601 |
LDAPServer-generate-cert.txt
LDAPServer-setup-ca.txt
openssl_ca.conf.txt
openssl_srv.conf.txt
CA cert
ca_false.crt.txt
ca_true.crt.txt
Server Cert + Key
server_ca_false.crt.txt
server_ca_false.key.txt
server_ca_true.crt.txt
server_ca_true.key.txt
I am unsure if this is a bug or a known implementation difference between SSL libraries.
It certainly created some confusion so here it is:
I Created a CA and signed certificates with it
Certificate considered trusted by OpenSSL and moznss
Certificate considered not trusted by GnuTLS
How to test:
Result: gnu-tls could not verify the cert create by a CA with "CA:FALSE", works with "CA:TRUE:. Both work with openssl.
Reading about the CA constrain it sounds logical this should be turned on for a CA. Is OpenSSL behavior correct ?
The text was updated successfully, but these errors were encountered: