Re: Trust intermediate CA for client certificates

On 12/02/2013 02:01 PM, Andrew Dunstan wrote:
> AIUI, you need a complete chain from one end to the other. So the cert
> being checked can include the intermediate cert in what it sends, or it
> can be in the root.crt at the other end, but one way or another, the
> checking end needs a complete chain from a root cert to the cert from
> the other end.

Yes. And the problem is that there is no way to prevent OpenSSL from
accepting intermediate certificates supplied by the client. As a
result, the server cannot accept client certificates signed by one
intermediate CA without also accepting *any* client certificate that can
present a chain back to the root CA.

Frankly, this whole conversation reinforces my belief that this behavior
is so counter-intuitive that it really should be changed.

GnuTLS for the win?

--
========================================================================
Ian Pilcher arequipeno(at)gmail(dot)com
Sent from the cloud -- where it's already tomorrow
========================================================================