[[EMAIL PROTECTED] - Mon Feb 10 16:53:48 2003]: > Hello Steve, > > Stephen Henson via RT wrote: > > [[EMAIL PROTECTED] - Fri Feb 7 14:09:28 2003]: > > > > > > > There are a number of problems with it. > [...] > > > It really needs replacing with something less horrible. For example it > > might: > > > > 1. Build the chain using the normal certificate verify code including > > the usual checks on validity and using appropriate purpose and trust. > > > > 2. Give a (fatal?) error if the verification fails. > > > > 3. Include a flag to exclude the root CA from outputted chain > > > > 4. Include an flag to disable the automatic chain building altogether > > and rely on the chain being correctly present in the extra certs of the > > context. > > I don't see a need for points 3 and 4.
Points 1 to 3 are largely doing what it does now but "properly". However it would require some changes to OpenSSL and some new APIs for example for new selectable purposes and trust settings for the chain build and (possibly) a new cert store. However option 4 easy to do and could be argued as being a "bug fix". > If the CA certs for the server cert are in a seperate list, > the content of the cert chain is in control of the user. > And if he doesn't want the root cert in the chain, he only > has to exclude them in the config file. > > The actual bug is only because OpenSSL tried to be to smart > and included in the list certificates it never was told to include... > > All I want to have is something like: > > build the list of server CA certs from the given file > (or build by SSL_CTX_add_extra_chain_cert()) > (in the order I give) > and _don't_ include any other certificates... > That's exactly what point 4 would do. You do something like: SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN); at some stage and it would then just use the supplied certificate(s) in SSL_CTX_add_extra_chain_cert(). > > 5. Cache the path after it has been determined. > > Or build it one time and reuse it... > Which leads to the interesting problem of when to build the chain. If its done on first use this will result in configuration errors only being apparent after a client connects. On the other hand the way that the various certificates and stores are presented in arbitrary order, not to mention a new SSL_MODE_NO_AUTO_CHAIN flag makes it trickier to determine when its OK to build the chain. Of course the cached chain might also become invalid at some point in the future, such as when a certificate expires... Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
