Expected behavior for verification when a subordinate in a chain is promoted to a self signed root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have an odd situation, and I don't know what the expect behavior is.
It was experienced when attempting to validate a path for
usercenter.checkpoint.com.

If I use s_client and `-showcerts`, I get a chain that terminates in
an old Root called "Class 3 Public Primary Certification Authority".
Its old and deprecated, so I tried to root or anchor trust in the next
lower intermediate.

The next lower intermediate is called ''VeriSign Class 3 Public
Primary Certification Authority - G5". Its sent in the chain, *but* I
downloaded it out of band from Symantec's site.

Then I ran s_client again with the downloaded version of the
certifcate (see below). It results in "Verify return code: 20 (unable
to get local issuer certificate)".

After some digging, it looks like ''VeriSign Class 3 Public Primary
Certification Authority - G5" are two different certificates with two
different serial numbers. One is sent in the chain and one is
available for download. What changed is the G5 certificate was
promoted to a self signed root due to the former CA deprecation. But
it reused the Disntiguished Name and public key, so Authority Key
Identifier and Subject Key Identifier stayed the same.

What is the expected behavior here? Should it fail or should it succeed?

Does the chain override the root or anchor? I think RFC 4518 treats
them as different certificates, so it just looks like the old G5
certificate is suprious and unnecessary. (... but confusing due to the
DN/SKI reuse)).

Jeff

**********

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
    -servername usercenter.checkpoint.com \
    -CAfile VeriSign-Class-3-Public-Primary-Certification-Authority-G5.pem
...
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: C58DA6CCEDD45F1BBA0FEE06C8A83B999E94105156DBF68365E98FD9E930668E
    Session-ID-ctx:
    Master-Key:
F725717020A58405B9B08366F46157F606F7B37CB4142B690F613F43C1073BB6E178A2D1FECB7A735D9359FDE3E2B6F0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1432427549
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux