Arno Garrels wrote:
> Next create a CAFile that contains both [1] and [2]
> (I think [1] has to be the first, however I always forget the order
> in which they must appear, just play).

The best way to determine what certificates are sent to the peer
requesting certificate verification is to add them to the PEM 
file specified in TSslContext.SslCertFile. 

The order starts with the server or client certificate followed
by required intermediate certificates until the root certificate,
for example:


// Server or client certificate
-----BEGIN CERTIFICATE-----
MIIC+DCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJCRTEO
MAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzETMBEGA1UEAxMKSUNTIFNTTCBD
QTAeFw0wOTEyMTQwMDAwMDBaFw0yOTEyMDgyMzU5NTlaMEUxCzAJBgNVBAYTAkJF
MQ4wDAYDVQQHEwVMaWVnZTEMMAoGA1UEChMDSUNTMRgwFgYDVQQDEw93d3cuZG9t
YWluMS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKus0idVJ6i82cje
RMQQOyIwpL4LQ1QODi/6qHK5gZVk14uEgtHVJ7aIFoyWoacQMVFE3gShwpQ5cEbe
tLHzVp+tnLw8xe1caP/UjvbTX5NkPenvh1nHxFhJDWlb0MQhXR5PFeJ+EVtRRCX+
bLpOjOxL6ky2Si4qLtHGJ9CN7vCzAgMBAAGjgfwwgfkwDwYDVR0TAQH/BAUwAwIB
ADAdBgNVHQ4EFgQUyUdb+crJAOYS7Wdva6NHjei9+HUwUwYDVR0jBEwwSqFFpEMw
QTELMAkGA1UEBhMCQkUxDjAMBgNVBAcTBUxpZWdlMQwwCgYDVQQKEwNJQ1MxFDAS
BgNVBAMTC0lDUyBSb290IENBggECMAsGA1UdDwQEAwIE8DAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5v
dmVyYnl0ZS5iZS9zc2xjYS0xLmNybDARBglghkgBhvhCAQEEBAMCBsAwDQYJKoZI
hvcNAQEFBQADgYEAE99KuClUXfh27+dsoLIi96g4xS0Idg4AfKEEiEWVZLluG7xP
GU9/UfXVt+9/m8fAgzjXEGzxMf/eKADr2HVq+gI3qD93CcuStxd+b8YPc6MkrneZ
vImqBms3rC4XPfFgGwpH8R/z66Bv2bupAi4c1fpDWsydXp3FOoQsTBivQxw=
-----END CERTIFICATE-----

// Intermediate CA, signed preceding certificate
-----BEGIN CERTIFICATE-----
MIICYjCCAcugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJCRTEO
MAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzEUMBIGA1UEAxMLSUNTIFJvb3Qg
Q0EwHhcNMDkxMjE0MDAwMDAwWhcNMjkxMjA4MjM1OTU5WjBAMQswCQYDVQQGEwJC
RTEOMAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzETMBEGA1UEAxMKSUNTIFNT
TCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAucOlN3IAxsRpu7PzKK1N
1xGzYKtqXYadx+x0sb+Z0Zq8b9+i1B6ruFmDChUkrC4kI9+WBzrTw39/YpswCrwt
GR6I7rkOXJ6ycPIl3yDwBmQQ9KWjSlb772Lf3v9M0Blm05tD5bBkLpM65CCSsbLo
Ljyw1HE9iQl3tZP6an0l+a0CAwEAAaNrMGkwEgYDVR0TAQH/BAgwBgEB/wIBAjAL
BgNVHQ8EBAMCAYYwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5vdmVyYnl0
ZS5iZS9zc2xjYS0xLmNybDARBglghkgBhvhCAQEEBAMCABcwDQYJKoZIhvcNAQEF
BQADgYEASuI9oM/fMSn30ToF27FxU7cY2XssKVPPdk6+jfm6zKQltZceoY89mtRQ
FM7PBDcM0X1OBDYVfGrajLUKENssNl7bE1GVjDFgw3/A2HOzgNAXWfRVzuL86+DN
xQY4CLOsRZJkDlKGiI38WNjEVF5+Rf12pXFOiR/78YlQVlUcPgM=
-----END CERTIFICATE-----

// Here we do not add the root since we assume the verifying
// peer has at least the root in his trusted certificates.
// But it could be appended as well if you like to.
// If there are more intermediate CAs in the chain they have
// to be added all.  

-- 
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to