Arno Garrels wrote: > Next create a CAFile that contains both [1] and [2] > (I think [1] has to be the first, however I always forget the order > in which they must appear, just play).
The best way to determine what certificates are sent to the peer requesting certificate verification is to add them to the PEM file specified in TSslContext.SslCertFile. The order starts with the server or client certificate followed by required intermediate certificates until the root certificate, for example: // Server or client certificate -----BEGIN CERTIFICATE----- MIIC+DCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJCRTEO MAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzETMBEGA1UEAxMKSUNTIFNTTCBD QTAeFw0wOTEyMTQwMDAwMDBaFw0yOTEyMDgyMzU5NTlaMEUxCzAJBgNVBAYTAkJF MQ4wDAYDVQQHEwVMaWVnZTEMMAoGA1UEChMDSUNTMRgwFgYDVQQDEw93d3cuZG9t YWluMS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKus0idVJ6i82cje RMQQOyIwpL4LQ1QODi/6qHK5gZVk14uEgtHVJ7aIFoyWoacQMVFE3gShwpQ5cEbe tLHzVp+tnLw8xe1caP/UjvbTX5NkPenvh1nHxFhJDWlb0MQhXR5PFeJ+EVtRRCX+ bLpOjOxL6ky2Si4qLtHGJ9CN7vCzAgMBAAGjgfwwgfkwDwYDVR0TAQH/BAUwAwIB ADAdBgNVHQ4EFgQUyUdb+crJAOYS7Wdva6NHjei9+HUwUwYDVR0jBEwwSqFFpEMw QTELMAkGA1UEBhMCQkUxDjAMBgNVBAcTBUxpZWdlMQwwCgYDVQQKEwNJQ1MxFDAS BgNVBAMTC0lDUyBSb290IENBggECMAsGA1UdDwQEAwIE8DAdBgNVHSUEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5v dmVyYnl0ZS5iZS9zc2xjYS0xLmNybDARBglghkgBhvhCAQEEBAMCBsAwDQYJKoZI hvcNAQEFBQADgYEAE99KuClUXfh27+dsoLIi96g4xS0Idg4AfKEEiEWVZLluG7xP GU9/UfXVt+9/m8fAgzjXEGzxMf/eKADr2HVq+gI3qD93CcuStxd+b8YPc6MkrneZ vImqBms3rC4XPfFgGwpH8R/z66Bv2bupAi4c1fpDWsydXp3FOoQsTBivQxw= -----END CERTIFICATE----- // Intermediate CA, signed preceding certificate -----BEGIN CERTIFICATE----- MIICYjCCAcugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJCRTEO MAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzEUMBIGA1UEAxMLSUNTIFJvb3Qg Q0EwHhcNMDkxMjE0MDAwMDAwWhcNMjkxMjA4MjM1OTU5WjBAMQswCQYDVQQGEwJC RTEOMAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzETMBEGA1UEAxMKSUNTIFNT TCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAucOlN3IAxsRpu7PzKK1N 1xGzYKtqXYadx+x0sb+Z0Zq8b9+i1B6ruFmDChUkrC4kI9+WBzrTw39/YpswCrwt GR6I7rkOXJ6ycPIl3yDwBmQQ9KWjSlb772Lf3v9M0Blm05tD5bBkLpM65CCSsbLo Ljyw1HE9iQl3tZP6an0l+a0CAwEAAaNrMGkwEgYDVR0TAQH/BAgwBgEB/wIBAjAL BgNVHQ8EBAMCAYYwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5vdmVyYnl0 ZS5iZS9zc2xjYS0xLmNybDARBglghkgBhvhCAQEEBAMCABcwDQYJKoZIhvcNAQEF BQADgYEASuI9oM/fMSn30ToF27FxU7cY2XssKVPPdk6+jfm6zKQltZceoY89mtRQ FM7PBDcM0X1OBDYVfGrajLUKENssNl7bE1GVjDFgw3/A2HOzgNAXWfRVzuL86+DN xQY4CLOsRZJkDlKGiI38WNjEVF5+Rf12pXFOiR/78YlQVlUcPgM= -----END CERTIFICATE----- // Here we do not add the root since we assume the verifying // peer has at least the root in his trusted certificates. // But it could be appended as well if you like to. // If there are more intermediate CAs in the chain they have // to be added all. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
