Re: [TLS] Verifying X.509 Certificate Chains out of order

Peter Gutmann wrote:
> Simon Josefsson <simon@josefsson.org> writes:
> 
>> It is claimed that OpenSSL, IE and Firefox does not enforce the second
>> MUST in the paragraph above, and succeeds in verifying an
>> out-of-sequence chain.  I haven't verified the claim.  It appears as if
>> the OpenSSL developers don't consider their behaviour as a bug (see
>> reply below).
> 
> Add cryptlib to the list of implementations that don't care about the order. 
> In fact I'd be kinda surprised if anyone (well, apart from GnuTLS) cared about 
> cert order.
> 

OpenSSL does verify chains out of order and indeed incomplete chains if
appropriate certificates are trusted.

I would say though that particular server is misconfigured.

>> What are others opinion on this?  I'm looking for some guidance on
>> whether we should modify our current behaviour.
> 
> I'd say modify it, in fact I'm not sure what the rationale for requiring 
> ordering was in the original spec, "it's tidier that way" doesn't strike me as 
> a good argument :-).
> 

This raises a point I've wondered about for a while... Various PKIX
standards allow more than one chain between a root and EE certificate
(cross certification et al) so the (possibly almost) complete one a
server presents may not be the one a client will trust. CRLs can have
distinct paths too.

The wording in the specs (to me at least) implies one unique validation
path.

The CMS standards for example don't have the ordering requirement they
merely allow a set of "useful certificates" which may contain more or
less certificates than necessary to build a chain.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls