diff options
author | Ingela Anderton Andin <[email protected]> | 2014-09-01 15:39:21 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2014-09-09 11:28:36 +0200 |
commit | 1c9e0651c4917b63f49d8505dba7e820da8e32d2 (patch) | |
tree | 3aeadc7daec09d1b2f9c3303484859468ab34a1e /HOWTO | |
parent | 6e2fd45bad619fd7e06f21798eac94d415dff64e (diff) | |
download | otp-1c9e0651c4917b63f49d8505dba7e820da8e32d2.tar.gz otp-1c9e0651c4917b63f49d8505dba7e820da8e32d2.tar.bz2 otp-1c9e0651c4917b63f49d8505dba7e820da8e32d2.zip |
ssl, public_key: Add new option partial_chain
Check that the certificate chain ends with a trusted ROOT CA e.i. a
self-signed certificate, but provide an option partial_chain to
enable the application to define an intermediat CA as trusted.
TLS RFC says:
"unknown_ca
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the CA certificate could not
be located or couldn't be matched with a known, trusted CA. This
message is always fatal."
and also states:
"certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case."
X509 RFC says:
"The selection of a trust anchor is a matter of policy: it could be
the top CA in a hierarchical PKI, the CA that issued the verifier's
own certificate(s), or any other CA in a network PKI. The path
validation procedure is the same regardless of the choice of trust
anchor. In addition, different applications may rely on different
trust anchors, or may accept paths that begin with any of a set of
trust anchors."
Diffstat (limited to 'HOWTO')
0 files changed, 0 insertions, 0 deletions