Sorry my mistake - the CA certificates was manually added to the context instead of just pointing to the directory where the CAs are. The order in which the CA certificates was added was wrong and hence the problem. Changing the code to just search in the directory causes only one cert to be send to the client and the connection succeeds everytime - nice.
Thanks for all your help Leon -- Leon Brits [email protected] On Friday, September 30, 2011 10:26 AM, "Leon Brits" <[email protected]> wrote: > Hi all, > > My question is basically, how many CA certificates is allowed to be send > during the server certificate stage of the SSL protocol negotiations and > do I control it (if at all)? > > My clients (a mono application), is able to connect to my SSL server if > I only have 6 CA certificates in the CA directory configured in the > SSL_CTX. Adding another two causes the clients to fail due to an "SSL > certificate error". Watching the protocol with Wireshark it stops at the > Server certificate stage of the negotiations. My theory is that the > clients are limited and does not like so many (8) CA certs being send > and/or can not parse them all to validate it's own certificate. Is this > possible and what is the limit if any? All of the certificates is signed > by a root CA so the depth level is 2. > > Thanks > LJB > > -- > http://www.fastmail.fm - Or how I learned to stop worrying and > love email again > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > -- http://www.fastmail.fm - Email service worth paying for. Try it for free ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
