Re: What is 'trusted certificate'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The below warning message looks a bit like it was produced by OpenSSL, but pretty sure it actually comes from the freeradius server code, which appears to use one of the OpenSSL certificate checking callback mechanisms. So you should ask there what the exact intention for this warning is and how to prevent it.

To me the below warnings looks strange because usually at depth 0 and 1 of a cert chain (i.e., at the positions of the end entity cert and any subsequent intermediate cert) it is normal to have untrusted certs. Usually only at the end of the chain you have a trusted cert that represents the trust anchor for the chain.

Some information on the OpenSSL view on trusted/untrusted certs can be fount at https://beta.openssl.org/docs/manmaster/man1/openssl-verification-options.html

David

On Fri, 2022-07-15 at 22:38 +0200, Kamil Jońca wrote:

I have freeradius server configured to use EAP-TLS
(certificate baset authn)
Since some time I have warning in logs:

--8<---------------cut here---------------start------------->8---
Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with depth [1] subject name /C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-ca
Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=Mazowieckie/O=beta/OU=wifi/CN=salamandra
--8<---------------cut here---------------end--------------->8---

I took a look into code and it seems to be related to
"X509_STORE_CTX_get0_untrusted(ctx)" function.
I tried to search, but without success.
Can anyone tell me when certificate is "trusted" in this context?
(How to get rid this warning) or point to documentation/search keys

KJ

--
http://wolnelektury.pl/wesprzyj/teraz/


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux