On Tue, Jun 02, 2009 at 01:25:32PM +0100, David Woodhouse wrote:
> On Mon, 2009-06-01 at 17:15 -0400, Victor Duchovni wrote:
> > > I found another strange behaviour that I didn't expect -- the _order_ of
> > > the certificates in the cafile seems to be important.
> >
> > Yes, the TLS protocol requires the trust chain to be delivered bottom-up.
>
> That makes sense, but we're talking about the order of the certificates
> in the cafile, not on the wire. OpenSSL really ought to get that right.
The CAfile is for verification, not for sending alon the trust chain
of a given certificate. DO NOT append your CAfile to your certificate,
instead include just the leaf cert, then the issuing CAs bottom-up in
the right order.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
