Re: Client authentication certificate verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I understand that the trusted store must include Intermediate CA 1 or remove Intermediate CA 2 and just have the Root CA in it. I was trying things out to understand how client authentication works.

Regards,
Sudarshan

On Tue, Aug 22, 2017 at 10:37 AM, Sudarshan Raghavan <sudarshan.t.raghavan@xxxxxxxxx> wrote:
This is the CA - Leaf hierarchy I am testing with

Root CA > Intermediate CA 1 > Intermediate CA 2 > Leaf

Trusted certificates configured: Root CA and Intermediate CA 2

Client authenticates itself with this chain: Leaf > Intermediate CA 2 > Intermediate CA 1

I am using openssl 1.1.0f. This client authentication attempt is flagged as failed by OpenSSL. When I enable the X509_V_FLAG_PARTIAL_CHAIN flag, it passes. I was trying to understand why the partial chain flag is needed when the verification chain from Leaf to Root CA can be constructed using both the chain sent by the client and the certificates configured in trusted store. I looked at the code in build_chain function inside crypto/x509/x509_vfy.c. This is what I understand. If the issuer of Leaf certificate (Intermediate CA 2) is found in trusted store, the code will no longer look in the untrusted chain sent by the client. The code expects the chain to Root CA can be constructed from the trusted store itself. Given Intermediate CA 1 is not in the trusted store, it fails to construct the verification chain to Root CA and flags a failure. Did I understand this right? I assume in this scenario, enabling the partial chain flag is the way to go.

Regards,
Sudarshan

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux