Re: Re : Re: 2 Server certificates

[Hafedh TRIMECHE]

Hi Nico,

As described in OpenSSL documentation the 2 functions are equivalent:

SSL_set_client_CA_list() sets the list of CAs sent to the client when 
requesting a client certificate for the chosen ssl, overriding the setting 
valid for ssl's SSL_CTX object.

SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of 
CAs sent to the client when requesting a client certificate for ctx.

The problem may be solved by sending two certificates to the client and it will 
check which one to verify regarding the CA issued the server certificate.

SSL_CTX_load_verify_locations can't help because the certificates are stored in 
blob not in files.

Regards


----- Original Message -----
From: nicolas....@free.fr
To: openssl-users@openssl.org
Date: Thu, 12 Jun 2014 16:22:36 +0200 (CEST)
Subject: Re : Re: 2 Server certificates

> Hi
> 
> it seems that you could use the following functions :
> 
> void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
> -> sets the list of trusted CA sent to client (here Rapid SSL CA and pit-ca)
> 
> int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const 
> char *CApath);
> -> the CApath should point to a folder where certificates of both CAs are 
> stored
> 
> OpenSSL should be able to recover the certificate chain by itself
> 
> Hope it works
> Nico
> 
> ----- Mail d'origine -----
> De: Hafedh TRIMECHE <hafedh.trime...@gmail.com>
> À: openssl-users@openssl.org
> Envoyé: Thu, 12 Jun 2014 09:49:49 +0200 (CEST)
> Objet: Re: 2 Server certificates
> 
> I used this pascal procedure to handle other CAs
> 
> procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString);
> var
>   x509 : pX509;
> begin
> { The next four functions are only useful for TLS/SSL servers.
> f_SSL_CTX_add_client_CA :                  function(C: PSSL_CTX; CaCert:
> PX509): Integer; cdecl = nil; //AG
> f_SSL_add_client_CA :                      function(ssl: PSSL; CaCert:
> PX509): Integer; cdecl = nil; //AG
> f_SSL_CTX_set_client_CA_list :             procedure(C: PSSL_CTX; List:
> PSTACK_OF_X509_NAME); cdecl = nil; //AG
> f_SSL_set_client_CA_list :                 procedure(s: PSSL; List:
> PSTACK_OF_X509_NAME); cdecl = nil; //AG
> }
>   CA   := Trim(CA);
>   Root := Trim(Root);
>   if (CA='') or (Root='') then Exit;
>   FCS.Lock;
>   try
>     x509 := BlobToX509(CA);
>     X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
>     SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
>     SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
> 
>     x509 := BlobToX509(Root);
>     X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
>     SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
>     SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
>   except
>   end;
>   FCS.Unlock;
> end;
> 
> 
> and I obtained this log
> 
> Thank you to guide me set suitable procedure to accept connection from
> client which the certificate is issued by the second CA (pit-ca) not
> RapidSSL CA
> 
> Regards
> 
> -----------------------------------------------------------------------------------------------------------------------------------------
> D:\Developer\Tools\SSL\OpenSSL>openssl s_client -showcerts -connect
> localhost:44
> 30
> WARNING: can't open config file: /usr/local/ssl/openssl.cnf
> Loading 'screen' into random state - done
> CONNECTED(00000170)
> depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
> OU = S
> ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
> RapidSS
> L(R), CN = secure.payerspot.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
> OU = S
> ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
> RapidSS
> L(R), CN = secure.payerspot.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
> OU = S
> ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
> RapidSS
> L(R), CN = secure.payerspot.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See
> www.rap
> idssl.com/resources/cps (c)13/OU=Domain Control Validated -
> RapidSSL(R)/CN=secur
> e.payerspot.com
>    i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
> -----BEGIN CERTIFICATE-----
> MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
> MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
> HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj
> dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw
> MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
> KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
> U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI
> hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO
> CdcgAfhbyfVKA1azIxDsRNvf2A50yPTJGKT54r8H53q0a26RLHjTICfLQnfw0ala
> o9DTC5zcZ0IoibTXC6XmxOsQyoOJ1qavgKUloZHFEj9uHWRKEAaUUX/nQ0x7nTlL
> uXhQrzWFAqCawA2pElvehrsdvQKlVbeXCKfKptDuNkMcDhMNQhDp9mBG8yNn5bd3
> zLxIs0R9H/SpeCS314xwj4MKwwcwV8wTt7heekASQ85/IMSp27HdlOTWZYNZZWdJ
> 8EA6+wnhVpUxDgea/HG9GffSRc21hCSSBmxuQklLpYOmLww3YbECAwEAAaOCAa8w
> ggGrMB8GA1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQE
> AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIU
> c2VjdXJlLnBheWVyc3BvdC5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3Jh
> cGlkc3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0O
> BBYEFKQx20IXCPfRhermzmPBd4Qp+2xBMAwGA1UdEwEB/wQCMAAweAYIKwYBBQUH
> AQEEbDBqMC0GCCsGAQUFBzABhiFodHRwOi8vcmFwaWRzc2wtb2NzcC5nZW90cnVz
> dC5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3Qu
> Y29tL3JhcGlkc3NsLmNydDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr
> BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczAN
> BgkqhkiG9w0BAQUFAAOCAQEAgDs51+io4xWWYrR9LhMv5Ks8URfluQPFO2FUA6PI
> KjOoQwLr2pa5u1mxwlkZC4j5g0uf9Afis6iVkhHMiI3fkf17sdPq/jnU7lj0sjgW
> WaJu5AmcIGVyMwWRXtyTQmfmdJ6QYK/uXJUdE45YnD5qU+h0wW2PY9UhTwEqLqPH
> XYFkyR3ioIuB3bx3SNeEdw4HfynrsszxqCtwEffOoS/99OMF/7K2LZS+gHPtMjTD
> SmJFnr6U21/XQx1pVYsVLps+4tWcwGwWdvLabyydgoRvSLdVnEoWveNVzYjWrXO+
> A5jWDIoTe3UJduh6qRlfvJalheNmhqAKOe5H9/LCBUn+gA==
> -----END CERTIFICATE-----
>  1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca
>    i:/C=US/O=Caradas/OU=PIT/CN=pit-root
> -----BEGIN CERTIFICATE-----
> MIICnzCCAgigAwIBAgIJANhcG/IeHwt9MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
> BAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMQwwCgYDVQQLEwNQSVQxETAPBgNVBAMT
> CHBpdC1yb290MB4XDTE0MDMwNjA0NDYzN1oXDTI0MDMwMzA0NDYzN1owPjELMAkG
> A1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsTA1BJVDEPMA0GA1UE
> AxMGcGl0LWNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS8wkuFUF4kaai
> aSL+R56Vakz1ulgoYFq/EoXJzLSw0AtaW81eHuChye87XgDGPXuAECobKR1po7jm
> mv7N1mqolxdLttAo5KIrW9eON6+/+3S4tIkuKrq+6VLTyxS5tm7HtIk3VHgOauYq
> ZAwdCxSFqIuFjsujhs+XXxvwBuo5swIDAQABo4GiMIGfMB0GA1UdDgQWBBSSeO/A
> pvd/IYPohAgH1IdESNp/KDBwBgNVHSMEaTBngBTZN94fUNQRn4qO7sSjXtpWHdR7
> iaFEpEIwQDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsT
> A1BJVDERMA8GA1UEAxMIcGl0LXJvb3SCCQD5xUs3mIvpWzAMBgNVHRMEBTADAQH/
> MA0GCSqGSIb3DQEBBQUAA4GBACtXB0vtl0+QUUvHGlo8gqCwjjhwDLpa2VRslaus
> KGt84WlPiX0TH2Bqxm/zmPyBjNnuXWGHmQ4KgFmqa0SeF1AfP/Y3AWeEJA6Joej5
> 8nG0hr6CcObxrC+wAMRPDIlLHO+51QyjpNF9HC+k26bxUapZs2VW/2pcP67mtQHy
> XiYQ
> -----END CERTIFICATE-----
>  2 s:/C=US/O=Caradas/OU=PIT/CN=pit-root
>    i:/C=US/O=Caradas/OU=PIT/CN=pit-root
> -----BEGIN CERTIFICATE-----
> MIICoTCCAgqgAwIBAgIJAPnFSzeYi+lbMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
> BAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMQwwCgYDVQQLEwNQSVQxETAPBgNVBAMT
> CHBpdC1yb290MB4XDTE0MDMwNjA0MzUxMFoXDTI0MDMwMzA0MzUxMFowQDELMAkG
> A1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsTA1BJVDERMA8GA1UE
> AxMIcGl0LXJvb3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKG7diarDQg1
> 7UjmvJasHFSjWhPdb9/9pXZvWAKuc9wqqjD3nvU6w+uJtYIFqN4vXC+jk7ek4VF7
> jvkDF3R00fnHl6wOVufzQlFA7+QXpWTMGsb6yywhXMwVbcO8u14cGV/x+5VewkTg
> rVRbqZlOXImellNvW1fsJ5HiSVfH8eylAgMBAAGjgaIwgZ8wHQYDVR0OBBYEFNk3
> 3h9Q1BGfio7uxKNe2lYd1HuJMHAGA1UdIwRpMGeAFNk33h9Q1BGfio7uxKNe2lYd
> 1HuJoUSkQjBAMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHQ2FyYWRhczEMMAoGA1UE
> CxMDUElUMREwDwYDVQQDEwhwaXQtcm9vdIIJAPnFSzeYi+lbMAwGA1UdEwQFMAMB
> Af8wDQYJKoZIhvcNAQEFBQADgYEAIeZZtXQqlBK04a2gimGko/aL2YWMRgh04yTK
> +jw7OkJ/UWdA1g78UJk5/rTJ92579io5rsmLHXV+uWc6Wr6IFO4AfxiQv+GW/PMQ
> 8pu49o8ev9yTvYaos8XP4zdUO4RsXBw9rYRuSP4Ov2tOKKPomOJLabS58GAlCouk
> 774/xTE=
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See
> www.
> rapidssl.com/resources/cps (c)13/OU=Domain Control Validated -
> RapidSSL(R)/CN=se
> cure.payerspot.com
> issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
> ---
> Acceptable client certificate CA names
> /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
> /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> /C=US/O=Caradas/OU=PIT/CN=pit-ca
> /C=US/O=Caradas/OU=PIT/CN=pit-root
> ---
> SSL handshake has read 3311 bytes and written 649 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : AES256-GCM-SHA384
>     Session-ID:
> 4E1F306DC017FF34593693FA862184AC7CF38B976E36681DD7F5481DD2696044
> 
>     Session-ID-ctx:
>     Master-Key:
> 2C469ED2095E5F9F66792C4CAB4339BAD630ADC6773A491F391533EFC99BBE47
> D06FD73DC9ADB4E130B5A664350C3F3E
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - fc ca 8c 95 6c f5 1d 56-7f e3 13 cb 03 05 09 46
> ....l..V.......F
>     0010 - 81 b0 6b 94 6e bf af 64-4f 50 39 00 d3 f2 2e 5b
> ..k.n..dOP9....[
>     0020 - 6c 30 fc d4 da 70 ae 66-dc 60 7f 01 db 29 4b 78
> l0...p.f.`...)Kx
>     0030 - fb b7 bb b6 bc be cc e9-db 77 cd b1 97 d1 16 01
> .........w......
>     0040 - e7 fe f4 79 69 bb 9c 25-ce 2b 64 62 6f f7 cb 94
> ...yi..%.+dbo...
>     0050 - 45 fc 07 31 eb 9d e7 66-ef e1 c9 ea 82 0d 56 45
> E..1...f......VE
>     0060 - f4 17 af e3 73 32 59 8e-fb 5d 30 4c 31 df bb d9
> ....s2Y..]0L1...
>     0070 - f8 1e 9b 12 04 a3 56 98-0b 72 99 83 ff d7 30 0f
> ......V..r....0.
>     0080 - 0e ec d5 d4 c2 0a 9a eb-07 9c e4 3e 9c 2d 72 18
> ...........>.-r.
>     0090 - 6b b6 d1 3f 42 3a 11 ae-4c d0 ff ce 34 9f 15 c3
> k..?B:..L...4...
> 
>     Start Time: 1402558752
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> 
> 
> 
> --
> View this message in context: 
> http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50877.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org