FreeRADIUS uses this code (below) and it shows in logs there is 1 cert is untrusted according to X509_STORE_CTX_get_num_untrusted, and outputs everything (2 certs) from X509_STORE_CTX_get0_untrusted stack.
For start, It's hard to say if this "one untrusted cert" is the root or the peer because X509_STORE_CTX_get0_untrusted returns the stack.
Is there a way to get information which cert of stack is untrusted?
Is there a way to get information which cert of stack is untrusted?
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/*
* See if there are any untrusted certificates.
* If so, complain about them.
*/
untrusted = X509_STORE_CTX_get0_untrusted(ctx);
if (untrusted) {
if (conf->disallow_untrusted || RDEBUG_ENABLED2) {
int i;
WARN("Certificate chain - %i cert(s) untrusted",
X509_STORE_CTX_get_num_untrusted(ctx));
for (i = sk_X509_num(untrusted); i > 0 ; i--) {
X509 *this_cert = sk_X509_value(untrusted, i - 1);
X509_NAME_oneline(X509_get_subject_name(this_cert), subject, sizeof(subject));
subject[sizeof(subject) - 1] = '\0';
WARN("(TLS) untrusted certificate with depth [%i] subject name %s",
i - 1, subject);
}
}
if (conf->disallow_untrusted) {
AUTH(LOG_PREFIX ": There are untrusted certificates in the certificate chain. Rejecting.");
my_ok = 0;
}
}
#endif
среда, 6 ноября 2024 г. в 23:16:17 UTC+3, Michael Wojcik:
> From: openss...@xxxxxxxxxxx <openss...@xxxxxxxxxxx> On Behalf Of Aleksei “filimonic” Filimonov
> I have One-Tier PKI, and I have self-signed CA (ca.crt) and host cert (host.crt).
...
> root@radius2:/tmp/certs# openssl verify -verbose -crl_download -crl_check -show_chain
> -verify_depth 10 -issuer_checks -no_alt_chains -check_ss_sig -CAfile
> /tmp/certs/ca.crt -CApath /tmp/certs/ca-list /tmp/certs/host.crt
Typically use -CAfile *or* -CApath, not both. -issuer_checks and -no_alt_chains are deprecated.
Do you actually have a CRL server?
> /tmp/certs/host.crt: OK
> Chain:
> depth=0: O = OD.FREEIPA.XYZ, CN = rpi4b.od.freeipa.xyz (untrusted)
> depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority
I believe openssl verify always lists certificates that aren't trusted in the path as "untrusted". The trusted certificates are the ones found via -CAfile, -CApath, or -trusted (which can't be specified with -CAfile or -CApath). verify is reporting that the chain starts with an untrusted certificate, but can be built to a trusted one.
> I have the same issue for FreeRADIUS running this server :
> Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s) untrusted
> Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [1]
> subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority
> Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [0]
> subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz
No, you don't have the same issue with FreeRADIUS. openssl verify says the root is trusted; FreeRADIUS says it is not. The root is not in the collection of trust anchors for FreeRADIUS. I don't work with FreeRADIUS, so I don't know how to fix that, but it's a FreeRADIUS problem, not an OpenSSL one.
Michael Wojcik
Distinguished Techologist, Rocket Software
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/dd28f1ef-8f6b-45c0-be95-7236b31305c3n%40openssl.org.
