Why does OpenSSL report google's certificate is "self-signed"?

Walter H. Walter.H at mathemainzel.info
Wed Mar 31 18:04:15 UTC 2021


On 31.03.2021 19:48, Viktor Dukhovni wrote:
>> On Mar 31, 2021, at 1:43 PM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
>>
>> As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say anything about the practice, though I may have missed something. I had a vague memory that some standard or "best practice" guideline somewhere said the server should send the chain up to but not including the root, but I don't know what that might have been.
> Inclusion of the self-signed root is harmless.

do some admins this really?

I have more often the problem, that just the end SSL certificate is sent,
and without the intermediate certificate any validation is impossible;
in such case I download the intermediate just to complete the chain;

> The only case that
> I know of where this is actually necessary is with DANE-TA(2) when
> the TLSA RRset has a hash of the trusted root cert or public key.
>
this case is history, there doesn't exist any user agent, which has 
implemented this;



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3550 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210331/046c31bc/attachment.bin>


More information about the openssl-users mailing list