[jira] [Resolved] (PROTON-2856) Provide TLS support for intermediate CA certificates as trust anchors in OpenSSL

[Clifford Jansen (Jira)]

     [ 
https://issues.apache.org/jira/browse/PROTON-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Clifford Jansen resolved PROTON-2856.
-------------------------------------
    Fix Version/s: proton-c-0.40.0
       Resolution: Fixed

> Provide TLS support for intermediate CA certificates as trust anchors  in 
> OpenSSL
> ---------------------------------------------------------------------------------
>
>                 Key: PROTON-2856
>                 URL: https://issues.apache.org/jira/browse/PROTON-2856
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: proton-c
>    Affects Versions: proton-c-0.39.0
>         Environment: Proton-C built with OpenSSL
>            Reporter: Clifford Jansen
>            Assignee: Clifford Jansen
>            Priority: Major
>             Fix For: proton-c-0.40.0
>
>
> The current implementation of TLS in Proton-C uses the default certificate 
> verification algorithms provided by the OpenSLL library.
> This has the effect of making it difficult to use intermediate CA 
> certificates in Proton-C to provide finer grade security envelopes for use, 
> for example, by different organizational units in an organization or to 
> differentiate subnets in cloud environments.  Currently an intermediate CA, 
> by default, cannot be used to anchor a subtree of a parent root CA because 
> the root CA must also be in the trust store, at which point the whole tree 
> flowing from the root CA becomes trusted.
> This behavior goes against current user expectations and industry norms.  See
>   https://github.com/golang/go/issues/24685#issuecomment-1058119312
> This makes it difficult for Proton-C users to use certificate chain tooling 
> that they already have in place.
> This JIRA proposes to set the X509_V_FLAG_PARTIAL_CHAIN flag when verifying 
> peer certificates in OpenSSL.
> An additional advantage is a shortened verification sequence.
> After this change, existing trust stores for use with Proton-C that contain 
> self-signed root certificates will continue to verify the whole subordinate 
> trees of leaf certificates that flow from those roots.  Users will now be 
> able to create new trust stores that limit trust to subtrees anchored to 
> intermediate CA certificates.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org