<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>It is not so much that the server should build the entire chain (though I don't see any negative to that), its that the trusted intermediate CA (just like the root) shouldn't have to be sent by the client. Like you say, partial chain option should treat the intermediate as "root" and therefore it should be optional for the client to send it.</div>
<div> </div>
<div>Chris</div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Saturday, February 24, 2018 at 5:59 AM<br/>
<b>From:</b> "Ingela Andin" <ingela.andin@gmail.com><br/>
<b>To:</b> "Chris Rempel" <csrl@gmx.com><br/>
<b>Cc:</b> "Erlang-Questions Questions" <erlang-questions@erlang.org><br/>
<b>Subject:</b> Re: [erlang-questions] Intermediate certificate as CA</div>
<div name="quoted-content">
<div>
<div>
<div>Hi!<br/>
</div>
The partial chain option lets you do the certificate path validation with an intermediate as "roo"t e.i. certificates above the trusted intermediate are not validated. I can see that it might be practical if the server would try building the path, but that is not the way I read the RFC.<br/>
</div>
Regards Ingela Erlang/OTP team - Ericsson AB
<div>
<div>
<div>
<div>
<div class="gmail_extra">
<div class="gmail_quote">2018-02-23 23:03 GMT+01:00 Chris Rempel <span><<a href="mailto:csrl@gmx.com" onclick="parent.window.location.href='csrl@gmx.com'; return false;" target="_blank">csrl@gmx.com</a>></span>:<br/>
<blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex;border-left: 1.0px rgb(204,204,204) solid;padding-left: 1.0ex;">Interesting. In my understanding it is perfectly valid for a server to choose to trust an intermediate certificate and validate connecting peers against it.<br/>
<br/>
In fact erlang's ssl implementation provides for such a concept through partial_chain, except the implementation requires the client to send the chain up to and including the trusted intermediate. But the client should not have to send what the server considers the "trusted root".<br/>
<br/>
I think the question is, why does the client have to send the trusted intermediate certifoveicate. How does not sending it "break TLS" as you say? Do you mean it breaks erlang's implementation of TLS, or its a spec violation? I can find no indication of that.<br/>
"<br/>
Chris<br/>
<br/>
<br/>
Sent: Friday, February 23, 2018 at 9:45 AM<br/>
From: "Erik Seres" <<a href="mailto:erikseres@exosite.com" onclick="parent.window.location.href='erikseres@exosite.com'; return false;" target="_blank">erikseres@exosite.com</a>><br/>
To: "Erlang-Questions Questions" <<a href="mailto:erlang-questions@erlang.org" onclick="parent.window.location.href='erlang-questions@erlang.org'; return false;" target="_blank">erlang-questions@erlang.org</a>><br/>
Subject: Re: [erlang-questions] Intermediate certificate as CA<br/>
<br/>
<span class="im HOEnZb">When you say "breaks the TLS protocol" are you referring to establishing trust through PKI or that somehow the connection security is somehow compromised?<br/>
<br/>
Erik<br/>
</span><br/>
<span class="im HOEnZb">> On 2018. Feb 23., at 14:53, Ingela Andin <<a href="mailto:ingela.andin@gmail.com" onclick="parent.window.location.href='ingela.andin@gmail.com'; return false;" target="_blank">ingela.andin@gmail.com</a>[mailto:<a href="mailto:ingela.andin@gmail.com" onclick="parent.window.location.href='ingela.andin@gmail.com'; return false;" target="_blank">ingela.andin@gmail.com</a>]> wrote: <br/>
><br/>
> Hi!<br/>
><br/>
> </span>
<div class="HOEnZb">
<div class="h5">> 2018-02-22 17:57 GMT+01:00 Erik Seres <<a href="mailto:erikseres@exosite.com" onclick="parent.window.location.href='erikseres@exosite.com'; return false;" target="_blank">erikseres@exosite.com</a>[mailto:<a href="mailto:erikseres@exosite.com" onclick="parent.window.location.href='erikseres@exosite.com'; return false;" target="_blank">erikseres@exosite.com</a>]>:<br/>
><br/>
> > Hello,<br/>
> > We are developing a custom service that uses TLS certificates. Clients connect to that service and must present their client certificate. The client certificates are signed by a CA managed by our service. Our service's CA cert is in turn signed by a root cert, and not self signed. We do not want to require the clients to hold the services intermediate cert, and so they connect just presenting their own client certificate. <br/>
> <br/>
> That breaks the TLS protocol. The peer in either direction should send the whole certificate chain with the exception of the ROOT certificate that is optional as the peer has to own it to be able to verify it.<br/>
> <br/>
> > However, the erlang SSL application does not seem to allow for this setup. It seems to require that to verify the client certificate, that the service's cert is self signed (ie a root cert) or that the client provide all intermediate certs in the chain. Is there a way to configure the service with the intermediate cert as the ca, and not require the client to also send it as part of the chain?<br/>
> <br/>
> <br/>
> You can use the option verify_fun to customize the certificate path validation, but you would have to be careful to only accept the valid cases.<br/>
> <br/>
> Regards Ingela Erlang/OTP team - Ericsson AB<br/>
> <br/>
><br/>
> > <br/>
> > Thanks,<br/>
> > Erik<br/>
><br/>
_______________________________________________<br/>
erlang-questions mailing list<br/>
<a href="mailto:erlang-questions@erlang.org" onclick="parent.window.location.href='erlang-questions@erlang.org'; return false;" target="_blank">erlang-questions@erlang.org</a><br/>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a></div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div></body></html>