Re: [openssl-users] Intermediate certificates

Tue, 27 Jan 2015 12:13:58 -0800 

On Tue, Jan 27, 2015 at 10:21:01PM +0300, Serj wrote:

> Some web-sites don't send all intermediate certs during "SSL Handshake".

Indeed some websites are misconfigured.

> For example, www.verisign.com sends only server's cert but doesn't send next 
> intermediate cert:

But www.verisign.com is not among them:

    $ sleep 2 |
        openssl s_client -showcerts -connect www.verisign.com:443 2>&1 |
        openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
        openssl pkcs7 -print_certs -noout
    
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
 
Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain
 View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure 
Operations  /CN=www.verisign.com
    issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
SGC CA

    subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
SGC CA
    issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
Certification Authority - G5

    subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
Certification Authority - G5
    issuer=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification 
Authority


> So, I need to set a list of intermediate certs for my SSL connections. How to 
> do this?
> 
> With SSL_CTX_load_verify_locations() I can set only trusted root certs, but 
> not intermediate certs.

This is not needed for properly configured servers, such as
www.verisign.com.

While providing additional "untrusted" (intermediate) certificates
is possible, it is complex and the right solution is for the broken
sites to fix their certificate chain configuration.

It is unfortunate that browsers "lend a helping hand" to such sites.

-- 
        Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to