Hi Victor,
does it matter that we are not in the TLS case (maybe the code is
different in the SSL_CTX ) ? I am just trying to validate the chain with
the TA set to the SubCA... :D
IMHO, the correct (or, better, the expected) behavior (from a
developer's standpoint) would be to trust keys in the trusted
certificates list, no matter if they are in the form of a Self-Signed or
non-Self-Signed certificate - after all, it is a Trust Anchor --> just a
Public Key :D
Just my 2 cents...
Cheers,
Max
On 12/11/17 4:54 PM, Viktor Dukhovni wrote:
On Dec 11, 2017, at 6:27 PM, Michael Richardson <mcr@xxxxxxxxxxxx> wrote:
I believe that I ran into a similar problem where by I could not pin
('trust') an intermediate certificate (which was not self-signed) for the
purposes of verifying a CMS/PKCS7 object.
I don't have a solution, and I believe that work is required.
As I already mentioned a few times, the new X509_V_FLAG_PARTIAL_CHAIN
flag added in 1.0.2 addresses this issue.
To get pinning provide a trust store with just the pinned issuer CA,
and X509_V_FLAG_PARTIAL_CHAIN set.
With OpenSSL 1.1.0 one can also implement pinning by computing a TLSA
record for the pinned CA, and using OpenSSL's DANE support. OpenSSL
does not do the DNS lookups to find TLSA records, that's up to the
application, so the TLSA records can be entirely synthetic (e.g.
derived from suitable hashes of a pinned CA cert or its public key).
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
