Re: [TLS] Verifying X.509 Certificate Chains out of order

Dr Stephen Henson <> Mon, 06 October 2008 12:07 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 307053A6AB0; Mon, 6 Oct 2008 05:07:15 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id A2BD128C0D7 for <>; Mon, 6 Oct 2008 05:07:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wH7PBpvENGUI for <>; Mon, 6 Oct 2008 05:07:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 67C613A6A76 for <>; Mon, 6 Oct 2008 05:07:12 -0700 (PDT)
Received: from ([]:49431 helo=[]) by with esmtpa (plain:drh) (Exim 4.69) (envelope-from <>) id 1Kmoqz-0004pG-Tw; Mon, 06 Oct 2008 13:07:02 +0100
Message-ID: <>
Date: Mon, 06 Oct 2008 13:06:31 +0100
From: Dr Stephen Henson <>
User-Agent: Thunderbird (Windows/20080914)
MIME-Version: 1.0
To: Peter Gutmann <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.7
X-Clara-Relay: Message sent using Claranet Relay Service using auth code: drh
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Peter Gutmann wrote:
> Simon Josefsson <>; writes:
>> It is claimed that OpenSSL, IE and Firefox does not enforce the second
>> MUST in the paragraph above, and succeeds in verifying an
>> out-of-sequence chain.  I haven't verified the claim.  It appears as if
>> the OpenSSL developers don't consider their behaviour as a bug (see
>> reply below).
> Add cryptlib to the list of implementations that don't care about the order. 
> In fact I'd be kinda surprised if anyone (well, apart from GnuTLS) cared about 
> cert order.

OpenSSL does verify chains out of order and indeed incomplete chains if
appropriate certificates are trusted.

I would say though that particular server is misconfigured.

>> What are others opinion on this?  I'm looking for some guidance on
>> whether we should modify our current behaviour.
> I'd say modify it, in fact I'm not sure what the rationale for requiring 
> ordering was in the original spec, "it's tidier that way" doesn't strike me as 
> a good argument :-).

This raises a point I've wondered about for a while... Various PKIX
standards allow more than one chain between a root and EE certificate
(cross certification et al) so the (possibly almost) complete one a
server presents may not be the one a client will trust. CRLs can have
distinct paths too.

The wording in the specs (to me at least) implies one unique validation

The CMS standards for example don't have the ordering requirement they
merely allow a set of "useful certificates" which may contain more or
less certificates than necessary to build a chain.

Dr Stephen N. Henson.
Core developer of the   OpenSSL project:
Freelance consultant see:
Email:, PGP key: via homepage.

TLS mailing list