[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: X509_V_FLAG_PARTIAL_CHAIN support in OpenLDAP

To: Howard Chu <hyc@symas.com>, openldap-devel@openldap.org
Subject: Re: X509_V_FLAG_PARTIAL_CHAIN support in OpenLDAP
From: Doug Leavitt <doug.leavitt@oracle.com>
Date: Mon, 22 Jun 2015 17:30:42 -0500
In-reply-to: <55733D81.10309@symas.com>
References: <55722B0D.4080400@oracle.com> <55733D81.10309@symas.com>
User-agent: Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20150507 Thunderbird/17.0.11

Sorry for the delay.  I needed to do some  due diligence before responding.

On 06/06/15 13:35, Howard Chu wrote:

Doug Leavitt wrote:
Hi,
OpenSSL now has X509_V_FLAG_PARTIAL_CHAIN support in the code base asof 1.0.2a.
I would like to submit a patch to enable X509_V_FLAG_PARTIAL_CHAINsupportin OpenLDAP libldap, assuming it exists in the version of OpenSSLbeing use to
build
OpenLDAP.
What's the use case? It appears that the feature has been in OpenSSLsince around 2012, but I don't see much documentation or chatter aboutit. Why is it useful, and do GnuTLS and MozNSS already support asimilar feature?


The use case is:

You have a certificate issued by a CA:

    rootCA -> mysystem

You don't want to trust all of the certificates issued by that CA. Youonly want to trust that particular certificate.

OpenSSL by default ignores trust-list entries that are not for rootCAs. Adding just the "mysystem" certificate has no effect. With thischange, you can add the "mysystem" certificate and that will causeOpenSSL to accept this certificate, even though the trust list does notinclude the CA's root certificate.


A more complex case:

    rootCA -> mycompanyCA -> mysystem

You don't want to trust all of the certificates issued by that CA. Youonly want to trust certificates issued by your company's CA. Again,OpenSSL by default will not let you trust an intermediate CA. With thischange, you can add mycompanyCA's certificate and that will causeOpenSSL to accept certificates signed by your company CA.

The reason this is coming up now, is that the old Mozilla libldap/NSScombination supported this by default but the combination ofOpenLDAP/OpenSSL currently does not. We first discovered the issue backin 2012 and realized that OpenSSL did not support partial chains.Working through our security team the project that discovered the issueconvinced the OpenSSL upstream to add the X509_V_FLAG_PARTIAL_CHAINsupport so that eventually we could find a way to incorporate thatsupport back into OpenLDAP.

Additionally we have since uncovered some programs that depend on thisMozilla functionality and we would like to see it supported in theOpenLDAP/OpenSSL so those applications can finish moving off Mozillalibldap/NSS.

Moving forward to today it looks like OpenSSL has the support, disabledby default, and both GNUTLS and NSS have the support for partial chainsenabled by default.


In GNUTLS, the support is here:
https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/verify.c#L868

In NSS the support is here:

http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c#532where intermediate certificates are processed (with the final decisionat 557), and that leaf certificates are handled athttp://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c#916


In OpenSSL the support is disabled by default here:
https://github.com/openssl/openssl/blob/master/crypto/x509/x509_vfy.c#L819

Our hope is to have OpenLDAP/OpenSSL be either on par with OpenLDAP/NSS and
OpenLDAP/GNUTLS or at least have the option of be on par without having to
maintain a downstream code fork.


The code change itself is simple.  At a minimum it is as simple as adding:

#ifdef X509_V_FLAG_PARTIAL_CHAIN
       /*
        * Allow intermediate or leaf certificates in the trust list to
        * act as trust anchors.
        */
       X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx),
           X509_V_FLAG_PARTIAL_CHAIN);
#endif

after:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_o.c;h=5d2367c6c1cc1e45707dbd070dadf88a556f8d74;hb=HEAD#l381

From our investigation always adding the support does not seem to beharmful in any way and maintains compatibility with some existing software.


Hence the original question.

Thanks in advance for your consideration,
Doug.


Before I submit any patch I would like to know that would be acceptable
for integration.

Should support always be enabled if the version of OpenSSL has it
     e.g. ifdef on X509_V_FLAG_PARTIAL_CHAIN
Should it be a config time option check and ifdef enable if found in
    e.g. like the ifdef on HAVE_OPENSSL_CRL

Are there more requirements that is required in the patch, before itwould

be accepted such as ldap_set_option support?

Thanks in advance,
Doug.

Follow-Ups:
- Re: X509_V_FLAG_PARTIAL_CHAIN support in OpenLDAP
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: X509_V_FLAG_PARTIAL_CHAIN support in OpenLDAP
  - From: Howard Chu <hyc@symas.com>

References:
- X509_V_FLAG_PARTIAL_CHAIN support in OpenLDAP
  - From: Doug Leavitt <doug.leavitt@oracle.com>
- Re: X509_V_FLAG_PARTIAL_CHAIN support in OpenLDAP
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Update/drop cruft: LDAP_DEPRECATED, CLDAP, C version
Next by Date: Re: X509_V_FLAG_PARTIAL_CHAIN support in OpenLDAP
Index(es):
- Chronological
- Thread