Fwd: basic constraints check

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: basic constraints check

Sandeep Deshpande



Hi ,

We are using openssl 1.0.2j and have 3 level certificates like this. 
root  CA --> intermediate 01 CA-->intermediate02 CA -->Server certificate. 

We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server certificate. 

We have uploaded the CA certificates on the client side in the trust store. 
When a connection is made using openssl s_client / curl, we see that connection goes through successfully and the certificate chain is verified successfully OK. 

We expected the verification to fail as one of the certificate in the chain has "basicConstraints" missing. But openssl allows it. Is this the right behaviour ? 

If we need to have this check in place how to go about it . ?


Thanks,
Sandeep


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: basic constraints check

OpenSSL - User mailing list
  • We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server certificate. 

 

If those extensions, which are *optional,* are not present, then there is no limit on how the keys may be used, or how long the cert chain may be.  OpenSSL is doing the right thing.

 

If you want to add them, and you cannot upgrade, then read about the openssl config file syntax.  Good luck.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: basic constraints check

Sandeep Deshpande
Hi Rich.. Thanks..
We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints..
How do we go about it?

I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate. 


Thanks 
Sandeep 

On Thu, May 31, 2018, 11:39 PM Salz, Rich via openssl-users <[hidden email]> wrote:
  • We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server certificate. 

 

If those extensions, which are *optional,* are not present, then there is no limit on how the keys may be used, or how long the cert chain may be.  OpenSSL is doing the right thing.

 

If you want to add them, and you cannot upgrade, then read about the openssl config file syntax.  Good luck.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: basic constraints check

Viktor Dukhovni


> On May 31, 2018, at 6:08 PM, Sandeep Deshpande <[hidden email]> wrote:
>
> Hi Rich.. Thanks..
> We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints..
> How do we go about it?
>
> I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate.

Are you using OpenSSL 1.1.0 or OpenSSL 1.0.2?

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: basic constraints check

OpenSSL - User mailing list
In reply to this post by Sandeep Deshpande

I don’t recall the details of 1.0.2, sorry.  Maybe someone else on this list knows the best place to insert your checks.

 

From: Sandeep Deshpande <[hidden email]>
Date: Thursday, May 31, 2018 at 6:08 PM
To: Rich Salz <[hidden email]>, openssl-users <[hidden email]>
Subject: Re: [openssl-users] Fwd: basic constraints check

 

Hi Rich.. Thanks..

We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints..

How do we go about it?

 

I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate. 

 

 

Thanks 

Sandeep 

 

On Thu, May 31, 2018, 11:39 PM Salz, Rich via openssl-users <[hidden email]> wrote:

  • We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server certificate. 

 

If those extensions, which are *optional,* are not present, then there is no limit on how the keys may be used, or how long the cert chain may be.  OpenSSL is doing the right thing.

 

If you want to add them, and you cannot upgrade, then read about the openssl config file syntax.  Good luck.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: basic constraints check

Viktor Dukhovni
In reply to this post by Sandeep Deshpande


> On May 31, 2018, at 6:08 PM, Sandeep Deshpande <[hidden email]> wrote:
>
> We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints..
> How do we go about it?
>
> I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate.

In OpenSSL 1.0.2 CA certificates found in the trust store
are not checked.  This is fixed in 1.1.0.

You can always implement a verify callback to apply additional
constraints.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: basic constraints check

Sandeep Deshpande
In reply to this post by Viktor Dukhovni
1.0.2j

On Fri, Jun 1, 2018, 3:52 AM Viktor Dukhovni <[hidden email]> wrote:


> On May 31, 2018, at 6:08 PM, Sandeep Deshpande <[hidden email]> wrote:
>
> Hi Rich.. Thanks..
> We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints..
> How do we go about it?
>
> I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate.

Are you using OpenSSL 1.1.0 or OpenSSL 1.0.2?

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users