According to RFC 2246 a server can omitt the root certificate:
[...]
certificate_list
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate which specifies the
root certificate authority may optionally be omitted from the
chain, under the assumption that the remote end must already
possess it in order to validate it in any case.
[...]
But OpenSSL tries to complete the server CA list with the certificates
set in the client CA list.
This can result in an invalid server CA list if the client CA list
contains a CA cert with a DN that matches the issuer DN in the server
cert or the root CA cert of the server CA list.
So it is not possible for the servwe to accept client certs issued
by the own root CA and prevent this root from being sent to the client
as own root.
Bye
Goetz
--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
