On 11/03/2016 03:27, Viktor Dukhovni wrote: > On Fri, Mar 11, 2016 at 02:44:59AM +0100, Jakob Bohm wrote: > >>> Well, no, 1.0.2 uses the trust store not only for trust-anchors, >>> but also as a capricious source of intermediate certificates, whose >>> behaviour varies depending on whether the peer supplied same said >>> certificates on the wire or not. I expect to improve the capricious >>> behaviour. >> You keep dodging the question: Does 1.0.2g trust or not >> trust intermediary certs found in the "CA" store? > They are not trust-anchors, so absent an issuer higher up, they > are not sufficient to establish a "chain of trust", unless the > application enables "partial chain" support. Ok, that reverses the fundamental assumption behind all my previous posts (including post #2 in this thread). Why didn't you state this earlier. > ... > > >> An intermediate-CApath store would typically act as a >> growing cache of encountered intermediaries, needing a >> lot less security considerations than a trusted-CApath. >> >> This is especially useful with protocols and protocol >> variants where the convention is to not send the full >> certificate chain at all, but rather to expect the >> opposing end to request (and cache) any missing >> intermediaries as necessary. > Fine for browsers, not so practical for OpenSSL which does not go > around downloading certificates on the fly. Actually, I have only seen this done in non-browser use of TLS (and only by Microsoft). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160311/e6a40102/attachment.html>
