Laurens van der Blom
Laurens van der Blom

Software architect. Security professional (CISSP). Fitness/bootcamp guru. Obstacle runner. Ski lunatic.



OpenSSL and validation of self-signed certificates

Published: Sunday, February 16, 2020
Word count: 520. Estimated reading time: 3 minutes.
Share:

TL;DR

There is an issue ( #1418 with PR's #7918 and #10587) regarding OpenSSL not being able to validate self-signed certificates without the CA flag as well as the KeyUsage flag Certificate Signing (keyCertSign) set to true. As long as the issue remains open and you really need this to work in your environment, then you need to use the workaround to set these flags to true for self-signed certificates. This is not correct and must be remediated as soon as the issue has been solved in a new OpenSSL release.

Self-signed certificates

Normally, certificates are signed by certificate authorities (CAs) that are by default trusted by browsers and services. However, there are scenarios where self-signed certificates are preferred or even mandatory, especially when it comes to integrations secured by TLS with client authentication (using client certificates). Although one can consider a self-signed certificate as a CA and the certificate itself as one (because it's signed by itself), this is not really true. There are reasons why certificates are configured in certain ways, which is validated and thus enforced by TLS libraries, such as OpenSSL. Unfortunately, with OpenSSL there exists a bug where this validation does not work correctly with self-signed certificates.

Apache HTTPd with OpenSSL

When I was experimenting with Apache HTTPd with the OpenSSL library built-in, I noticed a strange behaviour when I wanted to use the Apache HTTPd as a reverse proxy where the back-end server operated on HTTPS only, using a self-signed certificate. I kept receiving the OpenSSL error unable to get local issuer certificate in Apache HTTPd, although I was sure everything was correctly set up.

It took me a lot of digging, but finally I found out it was and is still (at the moment of writing) an issue with OpenSSL. I'll save you the trouble of searching. It appears that, according to a GitHub issue (with PR's #7918 and #10587), OpenSSL is not able to validate self-signed certificates without the CA flag as well as the KeyUsage flag “Certificate Signing” (keyCertSign) set to true.

Those flags do not make sense for a self-signed certificate, but it looks like the bug doesn't discern real certificates from self-signed ones properly when it comes to validating them, regarding these flags.

An update of OpenSSL, along with that of Apache HTTPd, is necessary to solve this problem, as soon as the PR's have been processed and closed in the OpenSSL repository on GitHub. Until then, if you really need it, then you need to use the workaround to set these flags to true for self-signed certificates. This is not correct and must be remediated as soon as the issue has been solved in a new OpenSSL release.

Finally, I experimented some more and the same problem exists as well when Apache HTTPd (or OpenSSL in general) is configured (as a server) to require client authentication from the client using a self-signed certificate. It is not able to verify the client certificate with these flags missing. The same workaround applies here too.

Hopefully this post has been useful for you and has especially saved you some valuable time!