Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
wget, /etc/ssl/certs, and Intermediate CAs
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10157
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jul 25, 2018 10:49 pm    Post subject: wget, /etc/ssl/certs, and Intermediate CAs Reply with quote

I note that every CA cert in the /etc/ssl/certs directory (which is populated by the app-misc/ca-certificates package) is a self-signed root CA. I also note that, if I do a wget from a https:// address on a server who's certificate is signed not by a root CA but by an intermediate issuing CA (itself signed by a root CA), even though the root that issued that intermediate issuing CA is in /etc/ssl/certs, wget can't implicitly find the missing cert in the chain, erroring out with a server certificate verification error.

In order to get wget to accept this particular server without error, I had to manually fetch the issuing CA cert, place it in /usr/local/share/ca-certificates (per a recommendation in the update-ca-certificates man page) and then run update-ca-certificates to make it available to (of course, among other things) wget.

My question is, am I doing it right? My Firefox browser default cert cache contains some intermediate CA certs, but /etc/ssl/certs does not.

Incidentally, I had to write a little utility to check whether a particular cert was self signed. In case this might be useful, here it is:
is-self-signed.bash:
#!/bin/bash

certificate=$1
if [ -z $certificate ] ; then
    echo "No cert specified."
    exit 2
fi

subject=`openssl x509 -noout -subject -in $certificate | sed -e 's/subject= //'`
issuer=`openssl x509 -noout -issuer  -in $certificate | sed -e 's/issuer= //'`

if [[ "$subject" != "$issuer" ]] ; then
    echo "Cert $certificate IS NOT self signed. Subject and Issuer disagree."
    exit 1
fi

if ! openssl verify -CAfile $certificate $certificate >/dev/null ; then
    echo "Cert $certificate IS NOT self signed. Failed verify."
    exit 1
fi

true
I'm unaware of an existing tool that will do this in a single step.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10157
Location: Somewhere over Atlanta, Georgia

PostPosted: Fri Jul 27, 2018 6:31 pm    Post subject: Re: wget, /etc/ssl/certs, and Intermediate CAs Reply with quote

Answering my own question here.
John R. Graham wrote:
... am I doing it right?
No, I'm not. What I did is a Band-Aid for a misconfigured server. RFC 5246 (The Transport Layer Security (TLS) Protocol Version 1.2) section 7.4.2 describes the "Server Certificate Message", stating, among other things:
Quote:
This message conveys the server's certificate chain to the client.
(emphasis mine). In other words, the server should be configured to deliver not only its certificate, but any intermediate certificates below the trust anchor.

I've since contacted the server operator, gotten him to correct his server's configuration, and removed my Band-Aid.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum