On Thu, Aug 08, 2002 at 01:38:46PM +0200, Balazs Scheidler wrote: > On Mon, Aug 05, 2002 at 04:03:29PM -0700, Mike Benham wrote: > > > However, there is a slightly more complicated scenario. Sometimes it is > > convenient to delegate signing authority to more localized authorities. > > In this case, the administrator of www.thoughtcrime.org would get a chain > > of certificates from the localized authority: > > > > [Issuer: VeriSign / Subject: VeriSign] > > -> [Issuer: VeriSign / Subject: Intermediate CA] > > -> [Issuer: Intermediate CA / Subject: www.thoughtcrime.org] > > > > When a web browser receives this, it should verify that the CN field of > > the leaf certificate matches the domain it just connected to, that it's > > signed by the intermediate CA, and that the intermediate CA is signed by a > > known CA certificate. Finally, the web browser should also check that all > > intermediate certificates have valid CA Basic Constraints. > > > > You guessed it, Internet Explorer does not check the Basic Constraints. > > As OpenSSL's default verify callback does not check basic constraints, > clients that utilize openssl as backend, and verify server certificates can > be affected too. > > w3m for example does no basic constraints checking on its own, and neither > does lynx. > > As I see the curl library does no basic constraints checking, so anything > that uses curl to fetch https urls are affected too. > > As a final example, stunnel does not check basic constraints either. The > latter is usually using self generated certificates, so the impact is not > that severe. > > An untested (but compiling) code fragment which checks basicConstraints.ca > field is below (it is to be insterted into the SSL verify_callback): Update: I was wrong claiming openssl does not check basic constraints by default. I was looking at the wrong code, it is implemented in crypto/x509v3 where purpose checking is implemented. So programs using openssl are safe. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
