[TLS] ServerCertificate and intermediate CA certs
Martin Rex <Martin.Rex@sap.com> Wed, 02 April 2008 14:22 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 134333A6DB0; Wed, 2 Apr 2008 07:22:20 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 862B93A6D66 for <tls@core3.amsl.com>; Wed, 2 Apr 2008 07:22:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.25
X-Spam-Level:
X-Spam-Status: No, score=-3.25 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lk3RSntbdR8A for <tls@core3.amsl.com>; Wed, 2 Apr 2008 07:22:17 -0700 (PDT)
Received: from smtpde03.sap-ag.de (unknown [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 00CA53A6C24 for <tls@ietf.org>; Wed, 2 Apr 2008 07:22:16 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id m32ELiw2002555 for <tls@ietf.org>; Wed, 2 Apr 2008 16:21:54 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200804021421.m32ELfx5001291@fs4113.wdf.sap.corp>
To: tls@ietf.org
Date: Wed, 02 Apr 2008 16:21:41 +0200
MIME-Version: 1.0
X-Scanner: Virus Scanner virwal07
X-SAP: out
Subject: [TLS] ServerCertificate and intermediate CA certs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
I just received a request for help with an SSL interopability problem that a colleague encountered. He observed that the server certificate validation failed, reporting an incomplete certificate chain when he tried to connect to an (apparently Apache) Web-Server. He had configured the "Verisign Class 3 Public Primary CA" as trusted, and the Server only sends the Server cert, but fails to include the intermediate CA cert (VeriSign Class 3 Secure Server CA). In my reading of SSLv3->TLSv1.1 that is an obvious and serious violation of the protocol spec. Omitting the self-signed root certificate and the end of the servers certificate chain from the ServerCertificate message is OK/allowed, but omitting intermediate CAs is definitely NOT allowed by the spec. IMHO, the SSL/TLS stack ought to enforce that the certificate chain in the ServerCertificate message is correct, i.e. omits at most a self-signed root certificate, but NEVER any intermediate CAs and not even start an SSL handshake if that prerequisite can not be determined. Does anyone, by chance, know how/whether that problem can be fixed by configuration in Apache and how (i.e. how to configure Apache so that OpenSSL sends out a correct certification path in the ServerCertificate message, including all necessary intermediate CA certificates)? -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] ServerCertificate and intermediate CA certs Martin Rex
- Re: [TLS] ServerCertificate and intermediate CA c… Bentkofsky, Michael