> -----Original Message----- > From: Jan Just Keijser [mailto:janj...@nikhef.nl] > Hi Samuli, David, list, > > What some people get confused about is a stacked certificate vs a > certificate chain: OpenVPN only supports stacked CA certificates, > meaning that any of the certs present in the stacked file are > considered > trusted. > What some people want is a certificate chain, like some websites use: > the website has a server certificate signed by a sub-CA which in turn > is > signed by Verisign. The webserver sends the entire chain (server cert + > sub-CA cert + verisign cert) to the client for verification. That way > the client only needs the Verisign cert to trust a particular website > (the Verisign CA cert is installed in most browser by default). OpenVPN > does not support this at the moment. It would require changing > SSL_CTX_use_certificate() > to > SSL_CTX_use_certificate_chain() > to ensure that the entire certificate chain is sent to the remote end > (client or server).
I think SSL_CTX_use_certificate_chain_file() is actually used when loading the certificate from a separate cert file. It's just slightly confusing due to the fact that it is loaded twice: - SSL_CTX_use_certificate_file is used here: http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob;f=ssl.c;h=a1268ac2a9291dc1512fa28e3ab4efc65085c952;hb=HEAD#l1639 - SSL_CTX_use_certificate_chain_file is used here: http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob;f=ssl.c;h=a1268ac2a9291dc1512fa28e3ab4efc65085c952;hb=HEAD#l1738 I'm not entirely sure whether I'm right, and why things are done this way. Does anyone know the reasoning behind this? Adriaan
