On Mon, Jan 06, 2014 at 05:38:27PM -0500, Dave Thompson wrote: > > > When only certificate 2 and 1 are send, I the verififcation is > > succesful because it's now trying to find the issuer of 2, being > > 3, and does find that in my CApath. > > > Are you sure the '3' in your truststore is the same as the one sent? > If so, openssl should find 3 and then look for 4 and fail the same way. > I'd bet you actually have '3A' -- a different cert for the same CA > name (and key), which is self signed and thus a root. In that case > the chain 1,2,3A verifies, but the chain 1,2,3,(4) fails.
The one in my trust store, let's call it 3A is not exactly the same as the 3 I received. That is, 3A is self signed, 3 isn't. But 3A and 3 have the same subject, public key, and subject hash. > > Wouldn't it make sense to check that any of the certificates that > > are send are in the CApath rather than just the issuer of the > > last one in the chain? > > > In other words, try multiple or 'alternate' CA paths, not just > the 'first' one given by the message (or other protocol). > Yes, many (most?) other SSL implementations do that. > openssl,at least through 1.0.1, does not. There are apparently > changes in cert/chain verification coming in 1.0.2, but I don't > know if it includes this. I think it would be useful if it could do that. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
