Article delegate-en/4059 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4058@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How to verify a server's certificate?
10 Aug 2008 16:24:09 GMT Monika Schilling <p3ehqbdyi-abjexvcnmutr.ml@ml.delegate.org>


Hi Yutaka,

On Saturday August 9 2008 11:18, Yutaka Sato wrote:

...

Why do you think that DeleGate did not verify it?
Your log shows that the verification of the server's certificate is
succeeded (ok=1) based on your CAfile at [/home/ms/delegate/lib/CA.pem],
thus the SSL connecition is established.

...


You are right and helped me to get out of an endless loop of
misinterpretation. Thank you!

Unfortunately I still have a problem.

This is because I want more than the answer "There is some CA certificate 
which verifies the certificate of the peer". In order to raise the security 
level my intension is to specify the CA certificate explicit and to ignore 
the bunch of preinstalled certificates in the system certs folder 
(/etc/ssl/certs) of the OpenSSL installation of my openSUSE Linux 
distribution completely.

Playing with the OpenSSL command line tools I achieved this but not with 
DeleGate.

We have 2 test cases to consider:

1. The certificates match
   Expected result: Verification succeeds.

2. The certificates do not match. Here the mismatch is simulated by supplying 
   an inappropriate CA certificate.
   Expected result: Verification fails.


OenSSL Test Case for 1.
=======================
  ms@r50e-ms:~/tmp/DeleGate> openssl verify -verbose -CApath emptyDir
    -CAfile thawteCp.pem pop.1und1.de.pem
  pop.1und1.de.pem: OK
  ms@r50e-ms:~/tmp/DeleGate>

OpenSSL Test Case for 2.
========================
  ms@r50e-ms:~/tmp/DeleGate> openssl verify -verbose -CApath emptyDir
    -CAfile vsign1.pem pop.1und1.de.pem
  pop.1und1.de.pem: /C=DE/ST=Rheinland-Pfalz/L=Montabaur/O=1 und 1 Internet
    AG/CN=pop.1und1.de
  error 20 at 0 depth lookup:unable to get local issuer certificate
  ms@r50e-ms:~/tmp/DeleGate>

As you see the masking of the system certs directory is achieved by
directing (via -CApath) to an empty directory


Now to the problem with DeleGate. The 2 cases translate to following
respective lines in the DeleGate configuration file.

DeleGate Test Case for 1.
=========================
  STLS="fsv,sslway -Vrfy -CApath emptyDir -CAfile thawteCp.pem  -vd"

DeleGate Test Case for 2.
=========================
  STLS="fsv,sslway -Vrfy -CApath emptyDir -CAfile vsign1.pem    -vd"


Indeed case 1 produces the expected result, that is verification. Unexpectedly
case 2 yields verification, too. Only if I touch the OpenSSL system folder
/etc/ssl/certs and remove there the symbolic link

  c33a80d4.0 -> thawteCp.pem

I get a verification error. Obviously the system certs folder is still in
the CApath.

Is this by intension? Touching the system certs folder is not an option for
me.

I will send log files upon request.


Cheers, Monika

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V