Home Comments

Certificate list does not contain the chain when using SecureTransport and IceSSL.CAs

FabioMoreiraFabioMoreira Member Fábio MoreiraOrganization: HPProject: Remote Desktop solution

Greetings.

I'm using IceSSL on C++. I noticed this difference in behavior when doing tests on windows and macOS.

My certificate chain is like this: rootCA - CA1 - CA2 - serverCertificate.

The server has been configured to send only the serverCertificate (it does not send any of the CAs).

On the client side, I created a certificate file with this chain with rootCA + CA1 + CA2. I set this file up with IceSSL.CAs.

If my client is on windows, then during the connection I get a length of 4 in the certs (server certificate + all CAs).

If my client is on macOS, then during the connection I get a length of 2 in the certs (server certificate + CA2).

Also, on macOS, if I just add all the CAs to the certificate store and disable IceSSL.CAs I get the same number of certificates (4) as windows.

Is this expected behavior? And if so, is this due to a SecureTransport limitation / different behavior?

Thanks,
Fábio

Comments

  • xdmxdm La Coruña, SpainAdministrators, ZeroC Staff Jose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    Hi Fabio,

    This is expected behavior, when you set IceSSL.CAs like this CA1 and CA2 are trusted anchors, and SecureTransport stops at the first trusted anchor, on Windows intermediate CAs are not treated as trusted anchors by default, and it continues up to the Root CA. This behavior is configurable in SChannel API with CERT_TRUST_IS_CA_TRUSTED but IceSSL doesn't set this flag.

    Ideally, IceSSL.CAs should only refer to the trusted root CAs, this is not intended for intermediate CAs that are not trusted anchors.

    Cheers,
    Jose

  • FabioMoreiraFabioMoreira Member Fábio MoreiraOrganization: HPProject: Remote Desktop solution

    Hi Jose.

    That makes sense. Thanks for the explaining the difference in behavior.

    Cheers,
    Fábio

Sign In or Register to comment.