On Wed, Oct 28, 2009 at 06:51:02PM +0100, Dr. Stephen Henson wrote: > On Wed, Oct 28, 2009, Mourad Cherfaoui (mcherfao) wrote: > > I am not sure I understand why the client is broken? Did you mean that the > > sign bit can be omitted if the client sends the entire chain of certificates > > (except maybe the root) AND the server has the certificates chain as well? > > Thanks. > > My comment about it being broken (or more likely misconfigured) was nothing to > do with the keyUsage extension. The SSL/TLS standards do not allow a client to > just present the EE certificate: the whole chain has to be presented with > the possible exception of the root.
Well, per the BUGS section in SSL_CTX_set_client_cert_cb it is nigh-on impossible for a client author to DTRT with OpenSSL because of the limitations of the API. Regards, Joe ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
