[openssl-dev] [openssl.org #3621] Support legacy CA removal, ignore unnecessary intermediate CAs in SSL/TLS handshake by default
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Dec 30 06:49:16 UTC 2014
On Tue, Dec 16, 2014 at 03:02:22PM +0100, Hubert Kario wrote:
> > DANE TLSA PKIX-TA(0) records can designate the digest of a trust
> > anchor selected by the server operator. When TLS server transmits
> > a corresponding certificate chain it may not be safe to replace
> > that chain with a shorter chain, because the shorter chain may not
> > employ the designated trust anchor, causing DANE TLSA checks to
> > fail.
>
> But then why would you use the PKIX chain builder with system root store?
With certificate usage PKIX-TA(0) that's exactly what one is supposed
to do. You're confusing PKIX-TA(0) with DANE-TA(2).
> If you use DANE with CA digest, then the server needs to send all
> certificates, so you just need to validate the chain you have - you don't
> have
See above.
--
Viktor.
More information about the openssl-dev
mailing list