I am not sure if this is a non-conformance with some standard or a lacking feature.
If during the handshake process, a SSL server sends to me a chain of certificates and one of them is already trusted by me (I have it self-signed in my CApath), OpenSSL will fail to verify the server if I do not also have the issuer of the last certificate of the chain in my CApath. It seems that the my trusted certificates are only used when trying to verify the last certificate in the chain. It would be nice if the verification could be completed in any certificate in the chain, if I trusted its issuer. This is the behavior of NSS. The specific case where this issue affected me is described in this thread of the openssl-users list: http://www.mail-archive.com/[email protected]/msg65560.html -- Lucas Clemente Vella [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
