Details
-
Bug
-
Status: In Review (View Workflow)
-
Critical
-
Resolution: Unresolved
-
11.5, 10.5.25
-
None
Description
In certain environments it is customary for the intermediate CAs to be added to the leaf certificate, not to the CApath or CAcert file.
OpenSSL verify on the other hand, requires the option "untrusted" to verify such certificates:
A file of additional untrusted certificates (intermediate issuer CAs) used to construct a certificate chain from the subject certificate to a trust-anchor. The file should contain one or more certificates in PEM format. This option can be specified more than once to include untrusted certificates from multiple files.
However, `verify_ca_matches_cert` lacks logic to handle "-untrusted"
This is particularly relevant given that Galera has enabled support for that a while back
https://github.com/codership/galera/issues/571
and as far as I do, so does stunnel
verifyChain = yes | no
verify the peer certificate chain starting from the root CA
For server certificate verification it is essential to also require a specific certificate with checkHost or checkIP.
The self-signed root CA certificate needs to be stored either in the file specified with CAfile, or in the directory specified with CApath.
default: no
verifyPeer = yes | no
verify the end-entity (leaf) peer certificate
The end-entity (leaf) peer certificate needs to be stored either in the file specified with CAfile, or in the directory specified with CApath.
default: no