Why does OpenSSL report google's certificate is "self-signed"?
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Mar 31 18:09:29 UTC 2021
> On Mar 31, 2021, at 2:04 PM, Walter H. <Walter.H at mathemainzel.info> wrote:
>
> On 31.03.2021 19:48, Viktor Dukhovni wrote:
>>> On Mar 31, 2021, at 1:43 PM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
>>>
>>> As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say anything about the practice, though I may have missed something. I had a vague memory that some standard or "best practice" guideline somewhere said the server should send the chain up to but not including the root, but I don't know what that might have been.
>> Inclusion of the self-signed root is harmless.
>
> do some admins this really?
Since it is possible to do, inevitably some will do it.
>> The only case that
>> I know of where this is actually necessary is with DANE-TA(2) when
>> the TLSA RRset has a hash of the trusted root cert or public key.
>>
> this case is history, there doesn't exist any user agent, which has implemented this;
Well, that's false, just because you're not familiar with it, does not
mean it does not exist. OpenSSL, Postfix, Exim, Halon MTA, Cisco ESA,
PowerMTA, ... all support DANE, including DANE-TA(2).
Yes, no major browsers as yet supports DANE. But not all TLS is HTTPS
and not all HTTPS is browsers viewing websites.
--
Viktor.
More information about the openssl-users
mailing list