On Thu, 2005-01-20 at 11:24 -0700, Jack Lloyd wrote: > On Thu, Jan 20, 2005 at 01:17:29PM -0500, Jim Schneider wrote: > > On Thursday 20 January 2005 13:03, Samuel Meder wrote: > > > Got a question: It seems that OpenSSL allows the cert chain to be any > > > number of certificates which it then treats as a pool to build the cert > > > chain from whereas RFC 2246 says the certificate chains must be ordered > > > and no redundant certs are allowed (+/- CA cert): > > > > I'm not sure I understand this - are you saying you've found a way to get > > OpenSSL to create a chain that contains the same CA cert more than once? > > Based on the OP's reference to RFC 2246, I presume he means the list of certs > in the Certificate message. The RFC states that the list should only include > exactly the certs needed: "The sender's certificate must come first in the > list. Each following certificate must directly certify the one preceding it." > > Apparently OpenSSL isn't checking for this.
Right, as far as I can tell the code treats the certificates being sent as a set rather than a ordered chain and just picks the ones that are appropriate. > > What would the patch tighten up? > > Presumably, change it so OpenSSL ensures the other side is not sending totally > random extra certificates in the Certificate message during the SSL/TLS > handshake. Correct. I think it would be a pretty easy fix to make. I just want to make sure that the current behavior isn't intentional. /Sam > -Jack > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Sam Meder <[EMAIL PROTECTED]> The Globus Alliance - University of Chicago 630-252-1752 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
