Certificate list does not contain the chain when using SecureTransport and IceSSL.CAs
I'm using IceSSL on C++. I noticed this difference in behavior when doing tests on windows and macOS.
My certificate chain is like this: rootCA - CA1 - CA2 - serverCertificate.
The server has been configured to send only the serverCertificate (it does not send any of the CAs).
On the client side, I created a certificate file with this chain with rootCA + CA1 + CA2. I set this file up with IceSSL.CAs.
If my client is on windows, then during the connection I get a length of 4 in the certs (server certificate + all CAs).
If my client is on macOS, then during the connection I get a length of 2 in the certs (server certificate + CA2).
Also, on macOS, if I just add all the CAs to the certificate store and disable IceSSL.CAs I get the same number of certificates (4) as windows.
Is this expected behavior? And if so, is this due to a SecureTransport limitation / different behavior?
This is expected behavior, when you set
CA2are trusted anchors, and SecureTransport stops at the first trusted anchor, on Windows intermediate CAs are not treated as trusted anchors by default, and it continues up to the Root CA. This behavior is configurable in SChannel API with
CERT_TRUST_IS_CA_TRUSTEDbut IceSSL doesn't set this flag.
IceSSL.CAsshould only refer to the trusted root CAs, this is not intended for intermediate CAs that are not trusted anchors.
That makes sense. Thanks for the explaining the difference in behavior.