Re: [TLS] Verifying X.509 Certificate Chains out of order

Martin Rex <> Mon, 06 October 2008 19:09 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id A372E28C1A8; Mon, 6 Oct 2008 12:09:43 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id B763828C197 for <>; Mon, 6 Oct 2008 12:09:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.755
X-Spam-Status: No, score=-5.755 tagged_above=-999 required=5 tests=[AWL=0.494, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aW5Q5s0VgAGS for <>; Mon, 6 Oct 2008 12:09:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 66A2E28C114 for <>; Mon, 6 Oct 2008 12:09:41 -0700 (PDT)
Received: from by (26) with ESMTP id m96J9dIT012706; Mon, 6 Oct 2008 21:09:39 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Peter Gutmann)
Date: Mon, 6 Oct 2008 21:09:36 +0200 (MEST)
In-Reply-To: <> from "Peter Gutmann" at Oct 6, 8 10:44:49 pm
MIME-Version: 1.0
X-Scanner: Virus Scanner virwal05
X-SAP: out
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Peter Gutmann wrote:
> Simon Josefsson <>; writes:
> > 
> >It is claimed that OpenSSL, IE and Firefox does not enforce the second
> >MUST in the paragraph above, and succeeds in verifying an
> >out-of-sequence chain.  I haven't verified the claim.  It appears as if
> >the OpenSSL developers don't consider their behaviour as a bug (see
> >reply below).
> Add cryptlib to the list of implementations that don't care about the order. 
> In fact I'd be kinda surprised if anyone (well, apart from GnuTLS) cared
> about cert order.

All implementations that seriously care about (server) performance
ought to fail with an unordered certificate_list (and not try to
reorder themselves).  Our OEM implementation does care.

> >What are others opinion on this?  I'm looking for some guidance on
> >whether we should modify our current behaviour.
> I'd say modify it, in fact I'm not sure what the rationale for requiring 
> ordering was in the original spec, "it's tidier that way" doesn't
> strike me as a good argument :-).

It is a big waste to sort and sort and sort the list each time
it is processed.  The one who is persisting the data (credential holder)
can sort it once and for all.

Looking at their specs, even the WebServicesSecurity folks are prefering
the ordered list X509PKIPathv1 over the PKCS7 unordered bag of certificates.
(and someone who uses XML to build a solution does otherwise not care
 very much about performance).

TLS mailing list