On Thu, Feb 06, 2003 at 07:42:39PM +0100, Götz Babin-Ebell wrote:
> Hell folks,
>
> there seems to be a strange behavior with CA certificates
> in SSL server:
>
> I create a SSL_CTX for a server,
> set the certificate and the private key
> and add some CA certificates for client auth. with
> SSL_CTX_add_client_CA().
> (I don't set a server CA certificate,
> but in the list of client CA certificates are 2
> certificates with a DN that matches the issuer DN
> of the server certificate)
>
> But opening a SSL conection,
> my server still sends a CA certificate.
>
> How can I prevent the server from sending the root CA ?
With the current API it is not possible to influence this behaviour:
if the cert chain is incomplete, the library will automatically try
to round up from the store of trusted CAs.
So the only way to create reproducable results is to define the complete
chain using SSL_CTX_use_certificate_chain()...
Hmm. I vaguely remember a report quite some time ago, that in a similar
situation the wrong CA certificate could be picked and thus an invalid
chain might be created...
If this also happens in your case, please file a bug report to [EMAIL PROTECTED]
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
