Samy Thiyagarajan wrote:
>
> Hi,
> May be changing the verification of the depth level solve this issue. (
> I mean check the chain only upto User CA 1 and not upto the Root CA )
> In this case it should not report about missing valid root.
>
> Im not sure. this is just an idea.
Good idea. But unfortunately it does not work out. I removed the
root-certificate from the SSLCACertificateFile. The Server now only
allows the user CA 1 (otherwise it still offers the root CA as
valid CA). And I shortened the verifyDepth to one. But the server
denies access saying:
[Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20): unable
to get local issuer certificate
Seems that "verifyDepth" still requires a self-signed root
certificate (so the chain has to reach the toplevel in the
given number of steps).
Hm... Any other proposals? :-)
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
