Mike Zeoli wrote:
>
> First, thanks for all your help, Steve.
>
> I'll add the appropriate extensions to the certificate.
>
> To follow up on what you said below, Why does the "intermediate" CA
> certificate only show up as invalid when doing client and server
> authentication, and not when doing server authentication only? (This is why
> I assumed my certificates were valid, and that there was a problem with c/s
> authentication)
>
This is connected with how the verification code builds a certificate
chain. It first uses as many certificates as possible from a list of
unstrusted CAs included in the chain. When it can't add any more it
continues by looking up certificates from local storage. Root CAs always
come from local storage.
It then checks any untrusted certificates against the specific purpose,
but assumes that trusted ones are OK.
So if we have a chain cert->intermediate->root and intermediate has
invalid purpose it depends on what chain it is asked to verify. If it is
just pass the cert then it will lookup the rest from local storage and
bypass the checks.
If however it is passed cert and intermediate it will end up checking
the intermediate purpose.
This behaviour is a little unusual and I suppose it should be
consistent: either always check certificates or always trust
certificates if they are in local storage.
Always checking chains however causes problems because there are lots of
invalid certificates that need to be worked round.
Not checking trusted CAs is a better solution but that needs some
changes to the verify code.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
