On Tue, Mar 07, 2006, Olaf Gellert wrote: > Samy Thiyagarajan wrote: > > > > Hi, > > May be changing the verification of the depth level solve this issue. ( > > I mean check the chain only upto User CA 1 and not upto the Root CA ) > > In this case it should not report about missing valid root. > > > > Im not sure. this is just an idea. > > Good idea. But unfortunately it does not work out. I removed the > root-certificate from the SSLCACertificateFile. The Server now only > allows the user CA 1 (otherwise it still offers the root CA as > valid CA). And I shortened the verifyDepth to one. But the server > denies access saying: > > [Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20): > unable > to get local issuer certificate > > Seems that "verifyDepth" still requires a self-signed root > certificate (so the chain has to reach the toplevel in the > given number of steps). > > Hm... Any other proposals? :-) >
There are several options. One is to turn off chain verification. That would mean that the verify function no longer uses untrusted CAs from the peer and you place the rest of the chain in the trusted store. Unfortunately there isn't a verify flag to do that directly so you'd have to override the standard verify function and replace it with exactly the same code *except* it would pass a NULL for the set of unstrusted certificates. A second option is to add a purpose setting which rejects any and all cas while keeping the standard behaviour for non-CAs. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
