On Tue, Oct 27, 2009, Mourad Cherfaoui wrote: > > Hi, I have a chain of certificates C->B->A->RootCA. The TLS client only > presents C during the TLS handshake. RootCA has the Certificate Sign > extension set but not B and A. The TLS server fails the TLS handshake > because of the absence of the Certificate Sign extension in B and A. My > first question: if the TLS server has the entire chain of certificates > B->A->RootCA in its truststore, is it correct to assume that the Certificate > Sign extension is not required in B and A? My second question: by default > the TLS server will fail the TLS handshake because of the absence of the > Certificate Sign extension. Is there a recommended way to disables the check > for this extension in the TLS handshake? Thanks, Mourad. > > >
The client is broken then the standard requires that the entire chain be presented with the possible exception of the root. What do you mean by "Certificate Sign extension"? Do you mean the keyUsage extension is present but doesn't set the certificate sign bit? If so the certificate is broken. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
