Re: Why does OpenSSL report google's certificate is "self-signed"?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 31.03.2021 19:48, Viktor Dukhovni wrote:

On Mar 31, 2021, at 1:43 PM, Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:

As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say anything about the practice, though I may have missed something. I had a vague memory that some standard or "best practice" guideline somewhere said the server should send the chain up to but not including the root, but I don't know what that might have been.

Inclusion of the self-signed root is harmless.


do some admins this really?

I have more often the problem, that just the end SSL certificate is sent,
and without the intermediate certificate any validation is impossible;
in such case I download the intermediate just to complete the chain;


The only case that
I know of where this is actually necessary is with DANE-TA(2) when
the TLSA RRset has a hash of the trusted root cert or public key.
this case is history, there doesn't exist any user agent, which has implemented this;

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux