Re: How to rotate cert when only first matching cert been verified

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

the exact behavior:

When looking up CA certificates, the OpenSSL library will first search the certificates in CAfile, then those in CApath. Certificate matching is done based on the subject name, the key identifier (if present), and the serial number as taken from the certificate to be verified. If these data do not match, the next certificate will be tried. If a first certificate matching the parameters is found, the verification process will be performed; no other certificates for the same parameters will be searched in case of failure.

why no other certificates for the same parameters will be searched?

定平袁 <pkudingping@xxxxxxxxx> 于2020年12月20日周日 上午8:59写道:
Hello everyone,

Recently I am trying to rotate a cert, and the client uses python requests lib, which leverages openssl. Here is my steps:

1. Generate a new cert, and append it to the cert file(at this point, there are 2 certs in the file, first is old cert, second is new, they have the same Subject), restart client side process, (no problem here, because first cert matching server side cert, and it verifies successfully)
2. Replace server side with new cert.

As soon as I issue step #2, the client side process starts to show error “certificate verify failed”. This would cause downtime to my apps. I am new to this, not sure if there is anything wrong regarding my usage or understanding. But I found this page https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html, it says the exact behavior like my test:

If several CA certificates matching the name, key identifier, and serial number condition are available, only the first one will be examined. This may lead to unexpected results if the same CA certificate is available with different expiration dates. If a "certificate expired" verification error occurs, no other certificate will be searched. Make sure to not have expired certificates mixed with valid ones.

So I am wondering how to rotate cert in such a case? It would be very helpful if anyone could help on this. Thanks.

BTW, I tested the same cert file with CURL (compiled with gnutls), it works fine.

Regards
Dingping
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux