Hi Goetz,
* On server:
* if your server cert is signed by the root,
you can turn off sending of the root to the cert by
SSL_CTX_set_mode(ctx,SL_MODE_NO_AUTO_CHAIN)
I can't find this option (or similar) in the docs or header
files. Was this added in 0.9.7 or later?
Mark wrote:
Hello Mark,
You are still using 0.9.6 ?
I strongly recommend that you update OpenSSL to a newer version.
3 year old software is almost like back to stone age...
Indeed I have already recommended this too. However we will be
using OpenSSL on OpenVMS 7.3-1 and HP's implementation
Hi Goetz,
Thanks again for the helpful reply.
Let me guess:
root CA -- signs -- client cert
\- signs -- server cert
That's it.
To do verify on both sides you need:
* client: client key, client cert, root cert (to verify server cert)
* server: server key, server cert, root
Mark wrote:
I do things pretty much as you described except for the following:
* On server:
* if your server cert is signed by the root,
you can turn off sending of the root to the cert by
SSL_CTX_set_mode(ctx,SL_MODE_NO_AUTO_CHAIN)
I can't find this option (or similar) in the
Hi Goetz,
Thanks again for replying to my questions ;-)
I have read the manual page ;-) However I don't understand the full
implications of using or not using this function in a server. If I
use it what does the client do with it? Does the client still need
a copy of the root
Mark wrote:
Our application is a client/server application for which we (i.e. the
server)
need to authenticate the client (users) and hence we are the only CA
allowed.
This is not a public application so the server and all the client certs
are
signed by us. Client authorisation is very
Hi Fred,
Thanks for the response.
I have read the manual page ;-) However I don't understand the full
implications of using or not using this function in a server. If I
use it what does the client do with it? Does the client still need
a copy of the root certificate or is this provided
Mark wrote:
Hi Fred,
Hello Mark,
I have read the manual page ;-) However I don't understand the full
implications of using or not using this function in a server. If I
use it what does the client do with it? Does the client still need
a copy of the root certificate or is this provided