On Thu, Oct 29, 2009, Joe Orton wrote: > On Wed, Oct 28, 2009 at 06:51:02PM +0100, Dr. Stephen Henson wrote: > > On Wed, Oct 28, 2009, Mourad Cherfaoui (mcherfao) wrote: > > > I am not sure I understand why the client is broken? Did you mean that the > > > sign bit can be omitted if the client sends the entire chain of > > > certificates > > > (except maybe the root) AND the server has the certificates chain as well? > > > Thanks. > > > > My comment about it being broken (or more likely misconfigured) was nothing > > to > > do with the keyUsage extension. The SSL/TLS standards do not allow a client > > to > > just present the EE certificate: the whole chain has to be presented with > > the possible exception of the root. > > Well, per the BUGS section in SSL_CTX_set_client_cert_cb it is nigh-on > impossible for a client author to DTRT with OpenSSL because of the > limitations of the API. >
Hmm... seems to be a little out of date. It is possible to add certs to the store and set them to an appropriate trust value to avoid them being acceptable as server roots. Though we should really have a callback which can return the whole chain too. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
