Re: [exim-dev] [Bug 2092] Should support dual-key configurat…

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Jeremy Harris
Data:  
Para: exim-dev@exim.org
Assunto: Re: [exim-dev] [Bug 2092] Should support dual-key configuration with lists of keys/certs
On 02/11/17 18:00, Viktor Dukhovni wrote:
> On Thu, Nov 02, 2017 at 12:15:16PM +0000, admin@??? wrote:
>
>> OpenSSL:
>> The Notes section of SSL_CTX_use_certificate_chain_file(3ssl) uses the word
>> "added", implying we can call it multiple times. The description for
>> SSL_CTX_use_PrivateKey_file() also says "added".
>
> I may have mentioned this on this list before, but just in case:
>
>     * Some versions of OpenSSL prior to 1.1.0 (don't recall whether
>       this includes 1.0.2 or not), don't correctly handle the
>       issuer certificate lists when using multiple chain files.

>
> IIRC, the last chain file loaded was used to provide the issuer
> certificates for all the public key types. The work-around is to
> make sure that all the issuer certificates needed by *any* leaf
> cert are present in *each* chain file.
>
> It would be great if you could test this with 1.0.2, and post your
> findings (likely worth documenting, if 1.0.2 still exhibits the
> anomaly).
>



With OpenSSL 1.0.2k-fips :-

Server has loaded two full-chain .pem files, each having
a leaf-cert, an intermediate, and an anchor.
One chain is pure RSA, the other is pure EC.


For no specified cipher priority list on the server :-
the certificates sent with the server-hello are the RSA chain
(which was the first set in the load sequence).

For a priority list "ECDSA:RSA:!COMPLEMENTOFDEFAULT" :-
the certificates sent with the server-hello are the EC chain.


In both test cases the client-hello listed a full set of
sig-alorithms (including both RSA and ECDSA types).

--
Cheers,
Jeremy