'Re: Bug in certificate code?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    Re: Bug in certificate code?
From:       George Staikos <staikos () 0wned ! org>
Date:       2001-07-27 1:52:03
[Download RAW message or body]

On Thursday 26 July 2001 18:21, Dr S N Henson wrote:

> In fact I can verify the one of the sites, I presume it is
> www.wellsfargo.com with no problems using the command line:
>
> openssl s_client -connect www.wellsfargo.com:443 -CAfile
> certs/vsign3.pem
>
> vsign3.pem is in the standard OpenSSL distribution.

   Yes but this is not the same site.  banking.wellsfargo.com is issued with 
a trusted chain - it was the same problem (using SSLv2 only).  Now that I 
think I've worked around problems connecting to certain sites with SSLv3, I 
think this won't be an issue anymore.

> > > which isn't in the archive at all. You can however get it from the site
> > > using the -showcerts option to s_client but you shouldn't really need
> > > it because OpenSSL now supports chain verification.
> >
> >    Does netscape do this?  I tried straceing netscape and didn't see it
> > get this file to my knowledge.  (perhaps I missed it somehow)
>
> The normal SSL negotiation will include the server (or client)
> certifiate chain possibly minus the root. Therefore the only certificate
> you need to trust are root CAs if the server is correctly configured.
> Netscape does something similar.

  Ah ok.  I'll be giving this implementation a try shortly.

> > As a followup, I think I have found some new important information.  I
> > switched to using SSLv3 instead of v2 and now I get a long chain of
> > certificates that look like they will allow me to verify the certificate.
> > Does this mean it's the server's fault for only giving the top
> > certificate in a chain when only SSLv2 is enabled?  How is this ever
> > supposed to work?
>
> Ah, now SSLv2 can only send the server certificate and not the whole
> chain. Therefore you have to include all the other certificates in the
> chain in the trusted CA file. You can extract the intermediate CA using
> an SSLv3 connection and -showcerts and use that if you really need
> SSLv2.

   Yes the problem is that we had issues with a few sites which refused to 
negotiate if SSLv3 was enabled.  Thus we had this conundrum of some working 
in one scenario exclusively, and others working in the other.  It looks like 
this is sorted out now so it shouldn't be that much of a problem.

   Thanks for all your help.  It's much appreciated.

-- 

George Staikos

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic