[TLS] Verifying X.509 Certificate Chains out of order
Simon Josefsson <simon@josefsson.org> Mon, 06 October 2008 08:51 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 808B73A6A64; Mon, 6 Oct 2008 01:51:38 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CCDF03A6A61 for <tls@core3.amsl.com>; Mon, 6 Oct 2008 01:51:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.06
X-Spam-Level:
X-Spam-Status: No, score=-2.06 tagged_above=-999 required=5 tests=[AWL=-0.539, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, WHOIS_DMNBYPROXY=0.478]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q5otwIlYYrEz for <tls@core3.amsl.com>; Mon, 6 Oct 2008 01:51:35 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 72E873A6A64 for <tls@ietf.org>; Mon, 6 Oct 2008 01:51:34 -0700 (PDT)
Received: from c80-216-18-41.bredband.comhem.se ([80.216.18.41] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from <simon@josefsson.org>) id 1KmloL-0001Ki-Id for tls@ietf.org; Mon, 06 Oct 2008 10:51:30 +0200
X-Hashcash: 1:22:081006:tls@ietf.org::oK73dJlowjkrssgn:NCmQ
From: Simon Josefsson <simon@josefsson.org>
To: tls@ietf.org
References: <1223034323.30303.29.camel@localhost> <877i8pk772.fsf@mocca.josefsson.org> <1223281251.12502.74.camel@localhost>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:081006:pva@gentoo.org::MydaarQSLo/nIhx/:90F1
X-Hashcash: 1:22:081006:help-gnutls@gnu.org::rE71Q3DnHUKkRtuL:I6iM
Date: Mon, 06 Oct 2008 10:51:25 +0200
In-Reply-To: <1223281251.12502.74.camel@localhost> (Peter Volkov's message of "Mon, 06 Oct 2008 12:20:51 +0400")
Message-ID: <87abdit8c2.fsf_-_@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Subject: [TLS] Verifying X.509 Certificate Chains out of order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
All, We've received a request to verify X.509 certificate chains out of order in GnuTLS. Doing that would violate the following in RFC 5246 (earlier versions had similar language), §7.4.2: certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. It is claimed that OpenSSL, IE and Firefox does not enforce the second MUST in the paragraph above, and succeeds in verifying an out-of-sequence chain. I haven't verified the claim. It appears as if the OpenSSL developers don't consider their behaviour as a bug (see reply below). For more details, including the particular certificate chain in this example, see: http://thread.gmane.org/gmane.network.gnutls.general/1383/focus=1384 I can see several reasons to enforce the MUST recommendation here, e.g., covert channels, DoS-considerations, unneeded complexity. What are others opinion on this? I'm looking for some guidance on whether we should modify our current behaviour. /Simon Peter Volkov <pva@gentoo.org> writes: > Is it possible to do something similar in gnutls? It looks like there > are reasons to validate certificate with wrong order... > > -------- Forwarded message -------- > From: Tim Hudson <tjh AT cryptsoft com> > Reply-TO: openssl-dev@openssl.org > TO: openssl-dev@openssl.org > > Peter Volkov wrote: >> CC'ing openssl developers for their opinions, since I think this >> behavior better to have consistent or configurable. Description of the >> problem is here: > > Placing this in context - connect with internet explorer or firefox to > https://metasploit.com/ and you will see that both of those independent > implementations see nothing wrong with the certificate chain and handle the > redirect to http://metasploit.com/ without and errors or warnings. > > Implementations typically take the list of certificates as untrusted > certificates to add into the process of walking the certificate chain to a > trusted root certificate. There are pragmatic reasons for doing it this way. > > From an interoperability point of view remember the adage - "Be strict in what > you generate, be liberal in what you accept" > > Tim. > ______________________________________________________________________ > > > -- > Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Verifying X.509 Certificate Chains out of o… Simon Josefsson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Rob Dugal
- Re: [TLS] Verifying X.509 Certificate Chains out … Dr Stephen Henson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Steven M. Bellovin
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Mike
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Axel.Heider
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Alexander Klink
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Sylvester
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Sylvester
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Steven M. Bellovin
- [TLS] Antwort: Re: Verifying X.509 Certificate Ch… Axel.Heider
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Ben Laurie
- Re: [TLS] Verifying X.509 Certificate Chains out … Ben Laurie
- Re: [TLS] Verifying X.509 Certificate Chains out … Jeffrey A. Williams
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Simon Josefsson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Yoav Nir
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Alexander Klink