Hi Jeffrey, Thanks for your response.
So, is it a standard that the SSL enabled 'server app send the certificate chain, or just something that the app 'should' do? How can I test what certificates the server is actually sending back? I know that uw-imapd doesn't send the whole chain, and that Apache does. Just to give yet another example -- our exim mail server allows TLS for incoming mail. The mail server uses the hash files to find the certificates for the CA, and has a certificate file which contains our own certificate (signed by an Intermediate CA). I thought that the exim server was sending out the Intermediate CA certificate because when I tried to send a message using a slightly older than new version of Linux Mozilla that did not know about the Intermediate CA, it worked. However, I then got complaints for our PC users using the same version of Mozilla that they were getting messages that the Intermediate CA was unknown! I added the Intermediate CA certificate to the end of the server certificate that I was sending back to the client, and now the PC users were happy. Either exim is sending the full chain out and there was a bug in the Windows version of Mozilla that I was running, or, the Unix version of Mozilla i was running did not completely check the chain! Is there a client program I can run on both the Unix and Windows side to test exactly what certificates are being sent from the server to the client? Thanks, Jason Keltz [EMAIL PROTECTED] On Mon, 10 Jan 2005, Jeffrey Altman wrote: > The server should send all of the certs which make up the chain but > not the root cert. If the root certs is sent, the client must ignore > it for purposes of validation of the chain. > > Microsoft used to distribute Intermediate certs as part of Windows > and this resulted in the expectation that clients should have the > intermediate certs installed on their machines. Intermediate certs > expire more frequently then root certs. The administrators of the > servers have a relationship with the issuers of the intermediate > certs; the clients do not. Therefore, the server administrators > can more easily update the intermediate certs when needed. Inclusion > of the intermediate certs on the client requires the administrator > of the client to remove the old intermediate cert and replace it with > the new one. In practice, this will never happen in most cases because > most clients do not have administrators. > > Jeffrey Altman > > > Jason Keltz wrote: > > > Hi. > > > > I have a question with respect to SSL protocol. Is it part of the > > protocol that the SSL server send to the client the public keys for the > > CAs making up the certificate chain? or is it acceptable to send just the > > server public key and expect the client to complete the chain on its own? > > > > I can demonstrate with two examples... assume a multi-level certificate > > chain -- Root CA -> Intermediate CA -> server > > > > I have two programs -- Apache httpd, and uw-imapd, and both operate > > differently in this respect. In terms of uw-imapd, the client connecting > > (Thunderbird 0.8) knew about the Root CA and not the intermediate CA. > > Thunderbird 0.8 was unable to verify the chain, so an SSL connection could > > not be made. However, placing the public key of the Intermediate CA in > > the key file for the server made the problem go away. > > > > In terms of Apache and running say Opera as a web client -- if the web > > client doesn't know about the intermediate CA, the server sends the > > information, and the client trusts the information without a word to the > > user. If the Root CA certificate is deleted from the client, the server > > sends both the Root CA public key and the intermediate CA public key, > > Opera prompts the user letting them know that it doesn't know about any of > > the 3 components and asking the user if he would like to trust the CAs. > > The fact that the client even knows about the Root CA means that the > > server is sending the whole chain along. > > > > I'm not writing to ask about either of these programs (Apache/uw-imapd) > > because that is obviously discussion for a different list. What I'm > > wondering about is the protocol in general -- should the server send the > > whole path, or not? Is there a standard? > > > > Thanks for any information you can provide.. > > > > Jason Keltz > > [EMAIL PROTECTED] > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
