On Thu, Jan 20, 2005 at 01:17:29PM -0500, Jim Schneider wrote: > On Thursday 20 January 2005 13:03, Samuel Meder wrote: > > Got a question: It seems that OpenSSL allows the cert chain to be any > > number of certificates which it then treats as a pool to build the cert > > chain from whereas RFC 2246 says the certificate chains must be ordered > > and no redundant certs are allowed (+/- CA cert): > > I'm not sure I understand this - are you saying you've found a way to get > OpenSSL to create a chain that contains the same CA cert more than once?
Based on the OP's reference to RFC 2246, I presume he means the list of certs in the Certificate message. The RFC states that the list should only include exactly the certs needed: "The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it." Apparently OpenSSL isn't checking for this. > What would the patch tighten up? Presumably, change it so OpenSSL ensures the other side is not sending totally random extra certificates in the Certificate message during the SSL/TLS handshake. -Jack ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
