Re: OpenSSL server sending certificate chain(inc. root cert) during handshake

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On May 31, 2019, at 3:20 PM, Jason Schultz <jetson23@xxxxxxxxxxx> wrote:
> 
> My questions deal with #2: Why does OpenSSL include the root cert in the certificate chain?

The OpenSSL SSL_CTX_build_cert_chain(3) function constructs a complete
chain of trust for your certificate chain, based on the configured trust
stores (CAfile and/or CApath).  If you call this function, then you can
control how your certificates chain is augmented.

But if your EE certificate is the entire chain, then the internal automatic
chain construction code will assume that the chain was not built, and will
try to augment it unless you set the SSL_MODE_NO_AUTO_CHAIN flag via:

  SSL_CTX_set_mode(3), or
  SSL_set_mode(3)

[ Which really ought to also document SSL_MODE_NO_AUTO_CHAIN ]

> Will the root cert be included in the chain any time it's in the same directory
> as the server cert?

No, the chain is augmented based on the configured trust stores, and does
not directly consider the directory holding the chain file.

> Is there a way, via API call, configuration, etc, to force OpenSSL to NOT send the
> root certificate as part of the chain in this case?

You can set a CAfile/CApath that do not include the location of the root
cert, or disable automatic chain construction, and build the chain just
the way you like it via SSL_CTX_build_cert_chain(3), possibly passing the
SSL_BUILD_CHAIN_FLAG_NO_ROOT flag.

-- 
	Viktor.





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux