Hi. I have a question with respect to SSL protocol. Is it part of the protocol that the SSL server send to the client the public keys for the CAs making up the certificate chain? or is it acceptable to send just the server public key and expect the client to complete the chain on its own?
I can demonstrate with two examples... assume a multi-level certificate chain -- Root CA -> Intermediate CA -> server I have two programs -- Apache httpd, and uw-imapd, and both operate differently in this respect. In terms of uw-imapd, the client connecting (Thunderbird 0.8) knew about the Root CA and not the intermediate CA. Thunderbird 0.8 was unable to verify the chain, so an SSL connection could not be made. However, placing the public key of the Intermediate CA in the key file for the server made the problem go away. In terms of Apache and running say Opera as a web client -- if the web client doesn't know about the intermediate CA, the server sends the information, and the client trusts the information without a word to the user. If the Root CA certificate is deleted from the client, the server sends both the Root CA public key and the intermediate CA public key, Opera prompts the user letting them know that it doesn't know about any of the 3 components and asking the user if he would like to trust the CAs. The fact that the client even knows about the Root CA means that the server is sending the whole chain along. I'm not writing to ask about either of these programs (Apache/uw-imapd) because that is obviously discussion for a different list. What I'm wondering about is the protocol in general -- should the server send the whole path, or not? Is there a standard? Thanks for any information you can provide.. Jason Keltz [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
