On 11/03/2016 03:27, Viktor Dukhovni wrote:
On Fri, Mar 11, 2016 at 02:44:59AM +0100, Jakob Bohm wrote:
Well, no, 1.0.2 uses the trust store not only for trust-anchors,
but also as a capricious source of intermediate certificates, whose
behaviour varies depending on whether the peer supplied same said
certificates on the wire or not. I expect to improve the capricious
behaviour.
You keep dodging the question: Does 1.0.2g trust or not
trust intermediary certs found in the "CA" store?
They are not trust-anchors, so absent an issuer higher up, they
are not sufficient to establish a "chain of trust", unless the
application enables "partial chain" support.
Ok, that reverses the fundamental assumption behind all my
previous posts (including post #2 in this thread). Why didn't
you state this earlier.
...
An intermediate-CApath store would typically act as a
growing cache of encountered intermediaries, needing a
lot less security considerations than a trusted-CApath.
This is especially useful with protocols and protocol
variants where the convention is to not send the full
certificate chain at all, but rather to expect the
opposing end to request (and cache) any missing
intermediaries as necessary.
Fine for browsers, not so practical for OpenSSL which does not go
around downloading certificates on the fly.
Actually, I have only seen this done in non-browser
use of TLS (and only by Microsoft).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
