openssl: set X509_V_FLAG_PARTIAL_CHAIN #4655
Conversation
|
Outstanding question: should I provide a flag to let users disable this? We don't do that for other TLS backends... |
|
Why don't they do this by default, is it a security issue? We should know what the argument against it as a default is before doing anything. Looks like I'm not the only one, openssl/openssl#7871 |
|
Well, it changes behavior slightly since it'll stop traversing the chain at the intermediate instead of continue through the whole thing so that could be reason enough - not just the security angle. For curl, I suspect it might change how |
Looks like it varies by version. OpenSSL 1.0.2 doc: With OpenSSL 1.0.2, chain construction continues as long as there are additional trusted issuers in the trust store, and the last trusted issuer becomes the trust-anchor. Thus, even when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may still be anchored by a root CA. OpenSSL 1.1.1 doc: With OpenSSL 1.1.0 and later and <X509_V_FLAG_PARTIAL_CHAIN> set, chain construction stops as soon as the first certificate from the trust store is added to the chain, whether that certificate is a self-signed "root" certificate or a not self-signed intermediate certificate. Thus, when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may be shorter than it otherwise would be without the X509_V_FLAG_PARTIAL_CHAIN flag. Maybe it should be an SSL option and document it as only applying to openssl |
Right, which was what I also asked! 😁 Although I was considering doing the option the other way around, since supporting a partial chain by default might unify the OpenSSL better with the other backends... and for other tools that already set it by default, like wget. |
👍 on doing it this way, the more we can get the TLS backends to operate in a similar fashion, and thus reduce user confusion, the better. |
Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. Other TLS backends already accept partial chains. Reported-by: Jeffrey Walton Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
bagder
force-pushed
the
bagder/openssl-partial-chain
branch
from
b2930cc
to
60b811b
Compare
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS and OS400 package spec. Also I added the option to the NameValue list in the tool even though it isn't exposed as a command-line option (...yet?). (NameValue stringizes the option name for the curl cmd -> libcurl source generator) Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN. Ref: #4655
|
@bagder : There's a bug in the release notes at https://curl.haxx.se/changes.html , "openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains" points to https://curl.haxx.se/bug/?i=4665 instead of https://curl.haxx.se/bug/?i=4655 |
|
Thanks, fixing! |
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.
Other TLS backends already accept partial chains.
Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html