On 29/08/17 00:09, James Cowgill wrote: > I think this is the commit which fixes this, but I have not checked yet: > https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32
In addition, this commit must be applied before that one: https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc I created a test certificate chain for this (before I realized upstream already had one) which I have attached. The bug can be reproduced using mbedtls's test programs (available from manually built source). First, start a server: programs/ssl/ssl_server2 crt_file=test-certs/chain.pem key_file=test-certs/child.key Then run the child like this: programs/ssl/ssl_client2 server_name=Child server_addr=localhost auth_mode=optional Currently, the client will claim that the certificate validated. This is quite astounding since I didn't even give the client a list of trusted CAs! > . Verifying peer X.509 certificate... ok After applying the patches the client will correctly fail the certificate validation. James
test-certs.tar.gz
Description: application/gzip
signature.asc
Description: OpenPGP digital signature
