OpenSSL fails to verify server certificate if there are multiple certs with same subject names in the CApath of client #16304
Description
Issue:
OpenSSL would only verify the server certificate against the first cert under CApath or CAcert if there are multiple certs with the same subject name.
Env:
> openssl version
OpenSSL 1.1.1d 10 Sep 2019
> lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
How to reproduce:
- prepare two server certificates with different pem data but using same subject name.
serverA.crt: subject=CN=example.com
serverB.crt: subject=CN=example.com
> md5sum serverA.crt
619873e523f1c5658d58ec8b5aeafe38 serverA.crt
> md5sum serverB.crt
08b571f5529b66124a9111e3e3222b7f serverB.crt
-
suppose that when we use
endpointAas the endpoint to connect the server, then the server will present the serverA.crt. If we useendpointBas the endpont, the server will present the serverB.crt. -
prepare the CApath folder on the client side:
ln -s serverA.crt `openssl x509 -hash -noout -in serverA.crt`.0
ln -s serverB.crt `openssl x509 -hash -noout -in serverB.crt`.1
$ ls /root/cas/
lrwxrwxrwx 1 root root 7 Aug 12 18:32 b183f007.0 -> serverA.crt
lrwxrwxrwx 1 root root 7 Aug 12 09:17 b183f007.1 -> serverB.crt
- test on client side
4.1 use theendpointA, the below command can return as expected.
> openssl s_client -connect endpointA:443 -showcerts -status -CApath /root/cas -servername example.com -debug -state
SSL handshake has read 18087 bytes and written 468 bytes
Verification: OK
4.2 use the endpontB, the below command will fail with certificate verification error
> openssl s_client -connect endpointB:443 -showcerts -status -CApath /root/cas -servername example.com -debug -state
SSL handshake has read 18087 bytes and written 468 bytes
Verification error: self signed certificate
....
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4FE29B662C5CDCEE04C2C7519637901848C80EDF1F6A57195CA77EA7DFD5E294
Session-ID-ctx:
Master-Key: ACC0ADBEFE214222772D369BC1BB1288DEB5BCAD293229F6A57203A9E07C4C3EAD64C11E2685ACE06B76585A63EFA674
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1628807004
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
4.3 but if I change the soft link order of serverA.crt and serverB.crt. Then using endpointA command will fail but using endpointB command will succeed.
ln -s serverB.crt `openssl x509 -hash -noout -in serverB.crt`.0
ln -s serverA.crt `openssl x509 -hash -noout -in serverA.crt`.1
$ ls
lrwxrwxrwx 1 root root 7 Aug 12 18:32 b183f007.0 -> serverB.crt
lrwxrwxrwx 1 root root 7 Aug 12 09:17 b183f007.1 -> serverA.crt
Others
Sequence numbers make it possible for the directory to contain multiple certificates with same subject name hash value. For example, it is possible to have in the store several certificates with same subject or several CRLs with same issuer (and, for example, different validity period).
ref: https://www.openssl.org/docs/man1.1.0/man3/X509_LOOKUP_hash_dir.html
So I guess it should be supported if a ca directory contains multiple certificates with the same subject name.