On Thu, 2005-01-20 at 20:39 +0100, Richard Levitte - VMS Whacker wrote: > In message <[EMAIL PROTECTED]> on Thu, 20 Jan 2005 12:03:13 -0600, Samuel > Meder <[EMAIL PROTECTED]> said: > > meder> Got a question: It seems that OpenSSL allows the cert chain to > meder> be any number of certificates which it then treats as a pool to > meder> build the cert chain from whereas RFC 2246 says the certificate > meder> chains must be ordered and no redundant certs are allowed (+/- > meder> CA cert): > meder> > meder> "The sender's certificate must come first in the list. Each > meder> following certificate must directly certify the one preceding > meder> it." > > Yes? Does OpenSSL fail to accept a list of certificates ordered that > way? Does OpenSSL fail to send a list of certificates in that manner? > After all, RFC 2246 is about the bytes sent and received, nothing > else. It doesn't care about the internal sorting in the software > doing the sending and the receiving.
My point is that OpenSSL does work even if the list of certificates does not comply to to RFC2246 (and I believe you can easily make openssl send a list of non-ordered certs, I'm pretty sure we do if the cert chain fed to OpenSSL is non-ordered), which seems bad to me and if a relatively small patch can be added to fix this would you accept it? /Sam > Cheers, > Richard > > ----- > Please consider sponsoring my work on free software. > See http://www.free.lp.se/sponsoring.html for details. > -- Sam Meder <[EMAIL PROTECTED]> The Globus Alliance - University of Chicago 630-252-1752 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
