Hello Lutz, Lutz Jaenicke wrote:
But the chain is complete.On Thu, Feb 06, 2003 at 07:42:39PM +0100, Götz Babin-Ebell wrote:Hell folks, there seems to be a strange behavior with CA certificates in SSL server: I create a SSL_CTX for a server, set the certificate and the private key and add some CA certificates for client auth. with SSL_CTX_add_client_CA(). (I don't set a server CA certificate, but in the list of client CA certificates are 2 certificates with a DN that matches the issuer DN of the server certificate) But opening a SSL conection, my server still sends a CA certificate. How can I prevent the server from sending the root CA ?With the current API it is not possible to influence this behaviour: if the cert chain is incomplete, the library will automatically try to round up from the store of trusted CAs.
Whe have for one root key pair issued 2 certificates with the same DN.
One with a validity ending 2005, the other ending 2011.
older browsers have the 2005 cert and newer ones the 2011 cert.
Now want some of our customers (using apache) to use client authentication with certificates issued by us.
So if they put the 2005 cert in their client CA cert list,
customers with newer Mozilla / Netscape 7 complain that the server
cert is not trusted (issued by an unknown CA)...
Using the 2011 CA cert doesnt help, because then clients with an older
browser (containing the 2005 cert) complain...
Hmm. I vaguely remember a report quite some time ago, that in a similar situation the wrong CA certificate could be picked and thus an invalid chain might be created... If this also happens in your case, please file a bug report to [EMAIL PROTECTED]
Done. Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
smime.p7s
Description: S/MIME Cryptographic Signature