0
votes

I'm running openssl v 0.9.8j on sles 11 and i'm having a problem with certificate validation while using SSLv2

If I'm forcing openssl to use SSLv3 with -ssl3, openssl is able to validate the certificate. But if I swith to -ssl2 i get the following error :

verify error:num=20:unable to get local issuer certificat

I'm kinda new to ssl mechanic, is it possible that my local certificat (.pem) is only valid for SSLv3 and not SSLv2 ?

1
SSLv2 is broken and it should not be used. There's no reason to use SSLv3 in 2014. You should be using TLSv1 and above. Out of morbid curiosity, why do you want to support those protocol versions? - jww
OpenSSL 0.9.8j - I believe that's a fairly vulnerable version of the library, and it should not be used. See openssl-0.9.8j can not connect to Google https services using SSLv3. - jww
I know SSLv2 is quite old, but the system i'm working on is too. The ssl upgrade is planned for later. Openssl 0.9.8j is the one supported by my sles 11 installation. I'd switch to sslv3 but I got interroperability prob using sslv3 since the client is newer than the server and the BEAST patch seems to cause problem. - user3357471
"I know SSLv2 is quite old ..." - well, old is not the problem. The problem is SSLv2 is broken. It suffers downgrade attacks and leaves parts of the message unauthenticated. See Weith's Differences Between SSLv2, SSLv3, and TLS. - jww

1 Answers

0
votes

is it possible that my local certificat (.pem) is only valid for SSLv3 and not SSLv2 ?

No. You probably can't validate this certificate on SSL2 if it is signed by an unknown intermediate authority, while SSL3 allows to send the whole certificate chaining, thus validating the whole chain. The reason of your problem is that SSL2 does not implement certificate chaining.

The docs say : https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 (SSL 2) The CERTIFICATE-DATA contains data defined by the CERTIFICATE-TYPE value. CERTIFICATE-TYPE is one of [..] The CERTIFICATE-DATA contains an X.509 (1988) signed certificate.

https://datatracker.ietf.org/doc/html/draft-ietf-tls-ssl-version3-00 (SSL 3) certificate_list This is a sequence (chain) of X.509.v3 certificates, ordered with the sender's certificate first followed by any certificate authority certificates proceeding sequentially upward.