On Wed, Oct 28, 2009, Mourad Cherfaoui (mcherfao) wrote: > > I am not sure I understand why the client is broken? Did you mean that the > sign bit can be omitted if the client sends the entire chain of certificates > (except maybe the root) AND the server has the certificates chain as well? > Thanks. >
My comment about it being broken (or more likely misconfigured) was nothing to do with the keyUsage extension. The SSL/TLS standards do not allow a client to just present the EE certificate: the whole chain has to be presented with the possible exception of the root. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
