fix descriptions of credentials and verification app options#11273
fix descriptions of credentials and verification app options#11273DDvO wants to merge 2 commits intoopenssl:masterfrom
Conversation
DDvO
changed the title
|
BTW, how can one provide untrusted certs to help verifying peer certs, to use in case a peer does not send (all of) its cert chain? |
DDvO
force-pushed
the
fix_credential_option_doc
branch
from
1dc2913 to
1ba721a
Compare
|
It turns out that also the descriptions of verification options for the |
DDvO
changed the title
|
Thanks @beldmit for your very swift approval! Do you know if/how one can provide untrusted certs to help verifying peer TLS certs, to use in case a peer does not send (all of) its cert chain? |
|
I don't know either :( |
|
I agree that for web scenarios pre-known untrusted peer certs make little sense, |
|
This is going to be an RFC soon, it's just waiting for text editing: https://datatracker.ietf.org/doc/draft-ietf-tls-certificate-compression/?include_text=1 |
|
Nice, but this just compresses the certs being transmitted, but does not stop sending them. |
DDvO
force-pushed
the
fix_credential_option_doc
branch
from
1ba721a to
faa048d
Compare
|
Rebased and partly squashed. |
|
It is missing OTC member approval. |
|
Using extra certs for chain building can come into play when the server is sending a potentially valid chain but you want to use a different one, e.g., chaining up to a different or cross-signed root. |
|
Ping for OTC approval |
…apps fix doc of s_client and s_server credentials and verification options fix doc of verification options also for s_time, x509, crl, req, ts, and verify correcting and extending texts regarding untrusted and trusted certs, making the order of options in the docs and help texts more consistent, etc.
DDvO
force-pushed
the
fix_credential_option_doc
branch
from
faa048d to
5303a7d
Compare
|
Rebased this PR. It still needs an OTC member approval. |
|
The review/approval by @jaym05700 does not count here. |
|
Pinging again on a OTC member review+approval. |
paulidale
added
approval: done
openssl-machine
removed
the
approval: done
|
This pull request is ready to merge |
openssl-machine
added
the
approval: ready to merge
|
Merged - thanks! |
…apps fix doc of s_client and s_server credentials and verification options fix doc of verification options also for s_time, x509, crl, req, ts, and verify correcting and extending texts regarding untrusted and trusted certs, making the order of options in the docs and help texts more consistent, etc. Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #11273)
…since #10667 Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #11273)
|
I just found that the merge did not really happen, likely due to some misspelling or the like. |
9 participants
Looking for a way to provide extra untrusted certs for chain building during TLS server cert verification
I found that for both
s_clientands_serverthe documentation of the certificates given with the-cert_chainoption attributes them as 'trusted' while in fact they are just untrusted additional certs to use for chain building.On the other hand the documentation of most of the
-chainCAfile,-chainCApath,-chainCAstore,-verifyCAfile,-verifyCApath, and-verifyCAstoreoptions failed to make clear that all the certificates addressed by them are trusted.When correcting this I found and fixed some mistakes in the file format options and their descriptions.
I've also slightly improved the description of the
crl_downloadandnameoptoptions.Moreover, the order of the description of these and related options was somewhat inconsistent, which is fixed as well in this PR.