Certificate Transparency in OpenSSL

OpenSSL version 1.1 added support for verifying Certificate Transparency is being used on an SSL connection. The "openssl s_client" command can be used to see the SCTs provided over a connection:
$ openssl s_client -connect google.com:443 -ct
CONNECTED(00000003)
[...]
---
SCTs present (2)
---
SCT validation status: valid
Signed Certificate Timestamp:
    Version   : v1 (0x0)
    Log       : Comodo Sabre CT log
    Log ID    : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
                C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
    Timestamp : Mar 13 20:05:26.276 2018 GMT
    Extensions: none
    Signature : ecdsa-with-SHA256
                30:45:02:20:07:50:5B:7E:CC:20:19:40:38:91:35:04:
                8D:F4:5D:2D:97:2B:3F:AF:C9:87:9D:B5:50:EA:2C:47:
                A9:CB:67:F5:02:21:00:A3:4E:50:DA:7C:F7:99:61:E5:
                F4:93:C9:C4:97:BC:89:EC:17:03:8B:15:2C:89:3D:98:
                BA:A3:5A:42:5C:C7:E1
---
SCT validation status: valid
Signed Certificate Timestamp:
    Version   : v1 (0x0)
    Log       : Google Rocketeer log
    Log ID    : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
                A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
    Timestamp : Mar 13 20:05:25.963 2018 GMT
    Extensions: none
    Signature : ecdsa-with-SHA256
                30:46:02:21:00:BE:9C:26:70:2B:FF:F3:08:40:9A:99:
                F5:DE:3C:12:23:D7:5C:51:4E:09:B0:F8:D7:34:EB:D2:
                2C:92:D0:E0:2F:02:21:00:F4:C5:09:B0:E9:6C:DB:BF:
                14:D6:73:98:04:9D:43:34:FD:B9:55:74:17:B4:73:2A:
                F5:1A:EF:68:2D:D7:93:F4
---
SSL handshake has read 4115 bytes and written 274 bytes
Verification: OK
---
[...]

Applications can take advantage of this using OpenSSL's CT API. To simply require that a certificate is accompanied by at least one SCTs with a valid signature, add the following call to your application:

SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_STRICT);

If you want more control over what constitutes a reasonable set of SCTs, you can register a callback to evaluate the SCTs:

int at_least_two_scts(const CT_POLICY_EVAL_CTX *ctx, const STACK_OF(SCT) *scts, void *arg) {
    return sk_SCT_num(scts) >= 2;
}

SSL_CTX_set_ct_validation_callback(ctx, at_least_two_scts, NULL);

Verification of SCTs requires an up-to-date CT log list (by default, named ct_log_list.cnf in OpenSSL's data directory). If this is not supplied by your users' OpenSSL distribution, your application will need to provide one.

Comments