On Tue, Jun 18, 2013 at 04:50:06PM -0400, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of Carl Young
> > Sent: Tuesday, 18 June, 2013 07:10
>
> > Sorry for top-post - webmail :(
> >
> > In TLS, the server should not send the root certificate - it
> > sends the chain up to, but not including, the root certificate.
> >
> > From (sorry)
> > http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx
> <snip>
>
> "should not" is a little strong. It doesn't NEED to -- the relier
> (here client) must never trust a root sent in the handshake -- but
> it does no harm other than wasting a little wire time. For client
> authentication when used the same is true the other direction.
> RFC5246 says the root "MAY be omitted".
In fact with RFC 6698 DANE and digest matching type TLSA RRs with
certificate usage 2, the server SHOULD (in most cases MUST, but
the DANE WG won't let me say the obvious quite so strongly) send
the root CA, because otherwise the client will likely have no means
to compute the trust-anchor digest to compare with the TLSA record.
With usage 2 trust-anchors, the client cannot generally be presumed
to have prior access to trusted roots, so the server needs to send
these.
http://tools.ietf.org/html/draft-dukhovni-dane-ops-00#section-4.2
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
