Clifford Jansen created PROTON-2856:
---------------------------------------
Summary: Provide TLS support for intermediate CA certificates as
trust anchors in OpenSSL
Key: PROTON-2856
URL: https://issues.apache.org/jira/browse/PROTON-2856
Project: Qpid Proton
Issue Type: Improvement
Components: proton-c
Affects Versions: proton-c-0.39.0
Environment: Proton-C built with OpenSSL
Reporter: Clifford Jansen
Assignee: Clifford Jansen
The current implementation of TLS in Proton-C uses the default certificate
verification algorithms provided by the OpenSLL library.
This has the effect of making it difficult to use intermediate CA certificates
in Proton-C to provide finer grade security envelopes for use, for example, by
different organizational units in an organization or to differentiate subnets
in cloud environments. Currently an intermediate CA, by default, cannot be
used to anchor a subtree of a parent root CA because the root CA must also be
in the trust store, at which point the whole tree flowing from the root CA
becomes trusted.
This behavior goes against current user expectations and industry norms. See
https://github.com/golang/go/issues/24685#issuecomment-1058119312
This makes it difficult for Proton-C users to use certificate chain tooling
that they already have in place.
This JIRA proposes to set the X509_V_FLAG_PARTIAL_CHAIN flag when verifying
peer certificates in OpenSSL.
An additional advantage is a shortened verification sequence.
After this change, existing trust stores for use with Proton-C that contain
self-signed root certificates will continue to verify the whole subordinate
trees of leaf certificates that flow from those roots. Users will now be able
to create new trust stores that limit trust to subtrees anchored to
intermediate CA certificates.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
