问题
Given stackoverflow.com cert chain as follows:
Builtin DST Root CA -> Let's encrypt intermediate CA -> *.stackexchange.com
Is it possible to make a TLS connection using intermediate CA as trusted CA?
curl https://stackoverflow.com -v --cacert stack_intermediate_ca.pem --capath /dev/null -o /dev/null
curl: (60) SSL certificate problem: unable to get issuer certificate
Is it because the intermediate CA is presented in the server chain during TLS handshake? Or do all certs in chain have to be signed either directly or transitively by a trusted authority?
I verified that the intermediate CA has Is a Certification Authority set in Basic Constraints attribute.
Maybe trusted CA has to be self signed, which is not the case with intermediate CA.
回答1:
This behavior here depends on the version of openssl and curl.
Traditionally openssl required the verification of the full chain, i.e. up to the self-signed and locally trusted root certificate. With openssl 1.0.2 the flag X509_V_FLAG_PARTIAL_CHAIN was added, which allowed the chain verification to end in an arbitrary trusted certificate, no matter if it is the self-signed root or not. But this behavior is off by default.
With curl 7.68.0 curl has this flag enabled by default, so that with newer versions of curl and openssl it should be possible to have a chain certificate in --cacert instead of the self-signed root certificate. It does not matter if the server will send more chain certificates then needed to verify the chain since curl/openssl will just use the certificates which are actually needed. Verified with curl 7.68.0 with openssl 1.1.1 on Ubuntu 20.04.
来源:https://stackoverflow.com/questions/61618826/why-does-ssl-connection-fails-when-using-intermediate-ca