Current status

Gary E. Miller gem at rellim.com
Wed Feb 13 23:56:29 UTC 2019 

Yo Hal!

On Wed, 13 Feb 2019 15:18:17 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> >> I'm calling that "cert and other certs" a chain.  
> > Except that is not the definition of a cert full chain file.
> > Please don't make up new terms for long standing, well settled,
> > concepts.  
> 
> I didn't call it a "full" chain file.

I know.  I did.  Because that is what LE calls it.  One of many ways to
chain certs.

> I pulled the term "chain file" from the API.  If you have a URL for a
> good glossary, please share it.

https://letsencrypt.org/docs/glossary/

> From man SSL_CTX_use_certificate_chain_file
>        SSL_CTX_use_certificate_chain_file() loads a certificate chain
> from file into ctx. The certificates must be in PEM format and must be
>        sorted starting with the subject's certificate (actual client
> or server certificate), followed by intermediate CA certificates if
> applicable, and ending at the highest level (root) CA.

Oh, and LE does not put the root in their "fullchain".

This stuff is messy, the program will have to ginrd through a lot
of ways this is done in practice.

>        SSL_CTX_use_certificate_chain_file() should be used instead of
> the SSL_CTX_use_certificate_file() function in order to allow the use
> of complete certificate chains even when no trusted CA storage is
> used or when the CA issuing the certificate shall not be added to the
> trusted CA storage.

Yes.  There will be many case when the NTS-KE root cert should not
be in the system "trusted CA storage".

> As far as I can tell, you don't need the root cert when feeding the
> chain to a TLS server.

Right, you need it in the NTS client to verify the cert.  And you
need root certs to verify any client cert.

> I think the TLS server sends the chain to the
> TLS client.

When I check with Firefox I do not see that.

>  The client already has the root cert so it isn't needed
> in normal use.

Really?  What if the NTS-KE uses a self-signed cert and does not send it?

> It might be handy when checking things with command
> line tools.

The whole point is to be automatic.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190213/b2cea9b0/attachment-0001.bin>

More information about the devel mailing list