Jan Zak

Bug: Handshake simulation should fail for OpenSSL and incomplete cert chain

Discussion created by Jan Zak on Apr 28, 2014
Latest reply on May 6, 2014 by Ivan Ristić

Imagine a certificate with incomplete cert chain, where remote URL for missing intermediate cert is listed in AIA Extension, caIssuers field. SSLTest reports the missing cert as "Extra download". Not every client supports the field. Browsers are mostly fine, but OpenSSL client doesn't.

 

You can check it by command:

 

$ openssl s_client -showcerts -connect domain.com:443 </dev/null

...

Verify return code: 21 (unable to verify the first certificate)

 

SSLTest should warn about unsuccessful handshake. This also affects a lot of other apps which uses OpenSSL as library. Maybe you could include in Handshake simulation some other TLS libraries, like Go crypto.tls.

 

I guess you are just comparing client capabilities with server instead doing real handshake simulation, so possible fix is just to add a boolean field, if client supports this feature, and use it.

 

Thanks for great tool anyway!

 

Regards,

Jan Zak

Outcomes