According to RFC 2246 a server can omitt the root certificate: [...] certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. [...]
But OpenSSL tries to complete the server CA list with the certificates set in the client CA list. This can result in an invalid server CA list if the client CA list contains a CA cert with a DN that matches the issuer DN in the server cert or the root CA cert of the server CA list. So it is not possible for the servwe to accept client certs issued by the own root CA and prevent this root from being sent to the client as own root. Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]