On 26/03/2014 13:38, Emilia Kasper wrote: > > On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson > <[email protected] <mailto:[email protected]>> wrote: > > > If the server is correctly configured to exclude the root then the chain > build > will fail. The root is needed during path verification to see that the > chain is > complete. > > > Hmmm - it wasn't obvious from the doc that SSL_BUILD_CHAIN_FLAG_CHECK would > fail > this way but now that I think about it, I see you're right. This seems to be a > limitation of X509_verify_cert and I'm not sure what to do about it. Would > SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR be too dangerous to set? We'd still be > building a best-effort correct issuer chain, just no longer fully validating > it. > So I don't think it could mess up any good configurations (famous last words?) > >
Well if you set SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR then it will reorder the chain as best it can and just not fail if the chain is incomplete or broken in any other way. That's how the on the fly path building works at present. Personally I'd prefer it to return errors. That will catch other common problems like expiry of any certificate in the chain. If mod_ssl wants finer control on how the chain is built or better error reporting then it's always possible to use a customised function that calls X509_verify_cert manually. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
