Peter Volkov wrote:
CC'ing openssl developers for their opinions, since I think this behavior better to have consistent or configurable. Description of the problem is here:
Placing this in context - connect with internet explorer or firefox to https://metasploit.com/ and you will see that both of those independent implementations see nothing wrong with the certificate chain and handle the redirect to http://metasploit.com/ without and errors or warnings.
Implementations typically take the list of certificates as untrusted certificates to add into the process of walking the certificate chain to a trusted root certificate. There are pragmatic reasons for doing it this way.
From an interoperability point of view remember the adage - "Be strict in what you generate, be liberal in what you accept"
Tim. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]