Hello, I'm working with the CAPI engine, and I believe that I have found an issue, but not sure the right way to fix it, so some advice would be helpful.
In the function: capi_load_ssl_client_cert in e_capi.c, this function searches through all certificates in the store using CertEnumCertificatesInStore(). Then compares the issuer of that cert's issuer with the list of certificate authorities sent by the peer. In my case this is failing to find a match. The CA sent from the server is something like: "StartCom Certification Authority" But my cert has an issuer of: StartCom Class 1 Primary Intermediate Client CA. The cert chain looks like: [my cert (issued by intermediate)] -> [intermediate cert] -> [root cert (issued by StartCom CA)] The code in openssl is only looking at the issuer of the cert, and not walking up the cert chain. I see a couple possible solutions: 1) For each cert, walk the cert chain and check the issuer of each cert up the chain against the list of CA's sent by the peer. 2) Instead of using CertEnumCertificatesInStore, use CertFindChainInStore, and let CAPI find the matching certs (this is what Chromium does: http://src.chromium.org/viewvc/chrome/trunk/src/net/socket/ssl_client_socket_nss.cc?revision=77352&view=markup -john ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
