| View previous topic :: View next topic |
| Author |
Message |
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10727
Location: Somewhere over Atlanta, Georgia
|
 Posted: Wed Jul 25, 2018 10:49 pm Post subject: wget, /etc/ssl/certs, and Intermediate CAs |
 |
|
I note that every CA cert in the /etc/ssl/certs directory (which is populated by the app-misc/ca-certificates package) is a self-signed root CA. I also note that, if I do a wget from a https:// address on a server who's certificate is signed not by a root CA but by an intermediate issuing CA (itself signed by a root CA), even though the root that issued that intermediate issuing CA is in /etc/ssl/certs, wget can't implicitly find the missing cert in the chain, erroring out with a server certificate verification error.
In order to get wget to accept this particular server without error, I had to manually fetch the issuing CA cert, place it in /usr/local/share/ca-certificates (per a recommendation in the update-ca-certificates man page) and then run update-ca-certificates to make it available to (of course, among other things) wget.
My question is, am I doing it right? My Firefox browser default cert cache contains some intermediate CA certs, but /etc/ssl/certs does not.
Incidentally, I had to write a little utility to check whether a particular cert was self signed. In case this might be useful, here it is: | is-self-signed.bash: | #!/bin/bash
certificate=$1
if [ -z $certificate ] ; then
echo "No cert specified."
exit 2
fi
subject=`openssl x509 -noout -subject -in $certificate | sed -e 's/subject= //'`
issuer=`openssl x509 -noout -issuer -in $certificate | sed -e 's/issuer= //'`
if [[ "$subject" != "$issuer" ]] ; then
echo "Cert $certificate IS NOT self signed. Subject and Issuer disagree."
exit 1
fi
if ! openssl verify -CAfile $certificate $certificate >/dev/null ; then
echo "Cert $certificate IS NOT self signed. Failed verify."
exit 1
fi
true
|
I'm unaware of an existing tool that will do this in a single step.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
 |
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10727
Location: Somewhere over Atlanta, Georgia
|
| Posted: Fri Jul 27, 2018 6:31 pm Post subject: Re: wget, /etc/ssl/certs, and Intermediate CAs |
|
|
Answering my own question here. | John R. Graham wrote: | | ... am I doing it right? |
No, I'm not. What I did is a Band-Aid for a misconfigured server. RFC 5246 (The Transport Layer Security (TLS) Protocol Version 1.2) section 7.4.2 describes the "Server Certificate Message", stating, among other things: | Quote: | | This message conveys the server's certificate chain to the client. |
(emphasis mine). In other words, the server should be configured to deliver not only its certificate, but any intermediate certificates below the trust anchor.
I've since contacted the server operator, gotten him to correct his server's configuration, and removed my Band-Aid.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
