[erlang-questions] Intermediate certificate as CA
Ingela Andin
ingela.andin@REDACTED
Sat Feb 24 14:59:44 CET 2018
Hi!
The partial chain option lets you do the certificate path validation with
an intermediate as "roo"t e.i. certificates above the trusted intermediate
are not validated. I can see that it might be practical if the server
would try building the path, but that is not the way I read the RFC.
Regards Ingela Erlang/OTP team - Ericsson AB
2018-02-23 23:03 GMT+01:00 Chris Rempel <csrl@REDACTED>:
Interesting. In my understanding it is perfectly valid for a server to
> choose to trust an intermediate certificate and validate connecting peers
> against it.
>
> In fact erlang's ssl implementation provides for such a concept through
> partial_chain, except the implementation requires the client to send the
> chain up to and including the trusted intermediate. But the client should
> not have to send what the server considers the "trusted root".
>
> I think the question is, why does the client have to send the trusted
> intermediate certifoveicate. How does not sending it "break TLS" as you
> say? Do you mean it breaks erlang's implementation of TLS, or its a spec
> violation? I can find no indication of that.
> "
> Chris
>
>
> Sent: Friday, February 23, 2018 at 9:45 AM
> From: "Erik Seres" <erikseres@REDACTED>
> To: "Erlang-Questions Questions" <erlang-questions@REDACTED>
> Subject: Re: [erlang-questions] Intermediate certificate as CA
>
> When you say "breaks the TLS protocol" are you referring to establishing
> trust through PKI or that somehow the connection security is somehow
> compromised?
>
> Erik
>
> > On 2018. Feb 23., at 14:53, Ingela Andin <ingela.andin@REDACTED[mailto:
> ingela.andin@REDACTED]> wrote:
> >
> > Hi!
> >
> >
> > 2018-02-22 17:57 GMT+01:00 Erik Seres <erikseres@REDACTED[mailto:
> erikseres@REDACTED]>:
> >
> > > Hello,
> > > We are developing a custom service that uses TLS certificates.
> Clients connect to that service and must present their client certificate.
> The client certificates are signed by a CA managed by our service. Our
> service's CA cert is in turn signed by a root cert, and not self signed. We
> do not want to require the clients to hold the services intermediate cert,
> and so they connect just presenting their own client certificate.
> >
> > That breaks the TLS protocol. The peer in either direction should send
> the whole certificate chain with the exception of the ROOT certificate that
> is optional as the peer has to own it to be able to verify it.
> >
> > > However, the erlang SSL application does not seem to allow for this
> setup. It seems to require that to verify the client certificate, that the
> service's cert is self signed (ie a root cert) or that the client provide
> all intermediate certs in the chain. Is there a way to configure the
> service with the intermediate cert as the ca, and not require the client to
> also send it as part of the chain?
> >
> >
> > You can use the option verify_fun to customize the certificate path
> validation, but you would have to be careful to only accept the valid cases.
> >
> > Regards Ingela Erlang/OTP team - Ericsson AB
> >
> >
> > >
> > > Thanks,
> > > Erik
> >
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180224/560bc711/attachment.htm>
More information about the erlang-questions
mailing list