v20240103.0 improved certificate debugging a great deal. Prior to that release, only one cert was printed for debug. After, every cert that was directly provided (as opposed to being pulled from the local trust store) was displayed. Additionally, notAfter, commonName, and serverAltName for each cert were presented. (these changes apply to both local and peer cert, but this ticket is focusing only on peer certs)
signed-intermediate-partial-chain.pem contains the cert for signed-intermediate.example.com and also the intermediate cert, but not the root cert
Prior to v20240103.0, the interesting part would have looked like:
=== TLS peer DN="/C=US/ST=Indiana/O=Swaks Development (signed-intermediate.example.com, with-SAN)/CN=signed-intermediate.example.com/emailAddress=proj-swaks@jetmore.net"
Of note, this does not show the client information, does not show any expiration or SAN information, and only shows a single cert even if a chain is presented.
After v20240103.0 the output now looks like this:
=== TLS peer[0] subject=[/C=US/ST=Indiana/O=Swaks Development (signed-intermediate.example.com, with-SAN)/CN=signed-intermediate.example.com/emailAddress=proj-swaks@jetmore.net]
=== commonName=[signed-intermediate.example.com], subjectAltName=[DNS:signed-intermediate.example.com] notAfter=[2033-09-15T22:49:58Z]
=== TLS peer[1] subject=[/C=US/ST=Indiana/O=Swaks Development (ca-intermediate, without-SAN)/emailAddress=proj-swaks@jetmore.net]
=== commonName=[], subjectAltName=[] notAfter=[2033-09-15T22:49:32Z]
=== TLS peer certificate passed CA verification, passed host verification (using host signed-intermediate.example.com to verify)
This is better but not perfect. The primary goal of this ticket is that every part of the ca trust chain (including the ones in the local trust store) be printed during this debug, not just certs that were sent by the server. Openssl has to have access to this information. I've gotten close to it before using set_verify but I could never quite make it work right.
TO BE DONE: show example of openssl verifying the chain including the root cert out of the trusted store
TO BE DONE: show example of what I'd like swkas output to look like (root ca info printed, provided or trusted for each, verification status for each)
v20240103.0 improved certificate debugging a great deal. Prior to that release, only one cert was printed for debug. After, every cert that was directly provided (as opposed to being pulled from the local trust store) was displayed. Additionally, notAfter, commonName, and serverAltName for each cert were presented. (these changes apply to both local and peer cert, but this ticket is focusing only on peer certs)
For example, consider this command:
signed-intermediate-partial-chain.pem contains the cert for
signed-intermediate.example.comand also the intermediate cert, but not the root certPrior to v20240103.0, the interesting part would have looked like:
Of note, this does not show the client information, does not show any expiration or SAN information, and only shows a single cert even if a chain is presented.
After v20240103.0 the output now looks like this:
This is better but not perfect. The primary goal of this ticket is that every part of the ca trust chain (including the ones in the local trust store) be printed during this debug, not just certs that were sent by the server. Openssl has to have access to this information. I've gotten close to it before using set_verify but I could never quite make it work right.
TO BE DONE: show example of openssl verifying the chain including the root cert out of the trusted store TO BE DONE: show example of what I'd like swkas output to look like (root ca info printed, provided or trusted for each, verification status for each)