On Thu, 2017-04-06 at 09:29 -0700, Adam Williamson wrote: > On Thu, 2017-04-06 at 18:22 +0200, Kai Engert wrote: > > I would like to make you aware that the certificate validation of openssl > > isn't > > as complete as in NSS. > > > > For example, NSS is able to handle the blacklisted/distrusted CAs, which > > have > > been published by Mozilla, and are being made available as part of the ca- > > certificates package, while I believe openssl isn't. > > > > In addition, a few CA distrust mechanisms have been implemented at the NSS > > code > > level, and no equivalent mechanisms are currently being implemented at the > > openssl level [1]. > > I don't believe this is accurate. There is an extended certificate > format which OpenSSL will accept which allows you to indicate specific > trust or *dis*trust of a given certificate for specific purposes. You > could, I think, use this format to produce a certificate file which > basically says "I distrust this CA certificate for all purposes". > > I wrote a bit about this at > https://www.happyassassin.net/2015/01/16/openssl-trust-and-purpose/ . > > Corrections welcome, of course... The ca-certificates package indeed produces two versions of the PEM format files, one as a simple list of CAs, and another version that uses the BEGIN TRUSTED CERTIFICATE file format, which includes the distrust flags. A couple of year ago, I had filed a bug to request that the openssl library default is switched to make use of this advanced format: https://bugzilla.redhat.com/show_bug.cgi?id=873373 However, that bug is still in NEW state, so I guess it depends on the individual applications, if they use the list that includes distrust information. Which one is libcurl using? Even if you switch that to the distrust list, you still don't get the partial distrust, which may be implemented at the NSS code level (such as date based distrust for StartCom/WoSign roots, and the domain constraints for some CA). Kai _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
