> From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Mark
> Hack
> Sent: Thursday, 1 April, 2021 07:45
> To: openssl-users@openssl.org
> Subject: Re: Why does OpenSSL report google's certificate is "self-signed"?
> RFC6066
>    Note that when a list of URLs for X.509 certificates is used, the
>    ordering of URLs is the same as that used in the TLS Certificate
>    message (see [RFC5246], Section 7.4.2), but opposite to the order in
>    which certificates are encoded in PkiPath.  In either case, the
> self-signed root certificate MAY be omitted from the chain, under the
>    assumption that the server must already possess it in order to
>    validate it.

Thanks! I thought I'd seen something about the question in some standard. 
Having seen this, I see that RFC 8446 (TLSv1.3) has essentially the same 
language: "a certificate that specifies a trust anchor MAY be omitted from the 
chain" (4.4.2). So servers are good either way.

Michael Wojcik

Reply via email to