[jira] [Commented] (PROTON-2856) Provide TLS support for intermediate CA certificates as trust anchors in OpenSSL

Wed, 06 Nov 2024 08:41:45 -0800 


    [ 
https://issues.apache.org/jira/browse/PROTON-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896027#comment-17896027
 ] 

ASF subversion and git services commented on PROTON-2856:
---------------------------------------------------------

Commit 2aed3743363835ee63858a276d88d4cc4c0c6189 in qpid-proton's branch 
refs/heads/main from Clifford Jansen
[ https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2aed37433 ]

PROTON-2856: allow trusted intermediate CA verification using OpenSSL


> Provide TLS support for intermediate CA certificates as trust anchors  in 
> OpenSSL
> ---------------------------------------------------------------------------------
>
>                 Key: PROTON-2856
>                 URL: https://issues.apache.org/jira/browse/PROTON-2856
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: proton-c
>    Affects Versions: proton-c-0.39.0
>         Environment: Proton-C built with OpenSSL
>            Reporter: Clifford Jansen
>            Assignee: Clifford Jansen
>            Priority: Major
>
> The current implementation of TLS in Proton-C uses the default certificate 
> verification algorithms provided by the OpenSLL library.
> This has the effect of making it difficult to use intermediate CA 
> certificates in Proton-C to provide finer grade security envelopes for use, 
> for example, by different organizational units in an organization or to 
> differentiate subnets in cloud environments.  Currently an intermediate CA, 
> by default, cannot be used to anchor a subtree of a parent root CA because 
> the root CA must also be in the trust store, at which point the whole tree 
> flowing from the root CA becomes trusted.
> This behavior goes against current user expectations and industry norms.  See
>   https://github.com/golang/go/issues/24685#issuecomment-1058119312
> This makes it difficult for Proton-C users to use certificate chain tooling 
> that they already have in place.
> This JIRA proposes to set the X509_V_FLAG_PARTIAL_CHAIN flag when verifying 
> peer certificates in OpenSSL.
> An additional advantage is a shortened verification sequence.
> After this change, existing trust stores for use with Proton-C that contain 
> self-signed root certificates will continue to verify the whole subordinate 
> trees of leaf certificates that flow from those roots.  Users will now be 
> able to create new trust stores that limit trust to subtrees anchored to 
> intermediate CA certificates.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to