This forum has been archived. Please start a new discussion on GitHub.

Certificate list does not contain the chain when using SecureTransport and IceSSL.CAs


I'm using IceSSL on C++. I noticed this difference in behavior when doing tests on windows and macOS.

My certificate chain is like this: rootCA - CA1 - CA2 - serverCertificate.

The server has been configured to send only the serverCertificate (it does not send any of the CAs).

On the client side, I created a certificate file with this chain with rootCA + CA1 + CA2. I set this file up with IceSSL.CAs.

If my client is on windows, then during the connection I get a length of 4 in the certs (server certificate + all CAs).

If my client is on macOS, then during the connection I get a length of 2 in the certs (server certificate + CA2).

Also, on macOS, if I just add all the CAs to the certificate store and disable IceSSL.CAs I get the same number of certificates (4) as windows.

Is this expected behavior? And if so, is this due to a SecureTransport limitation / different behavior?



  • xdm
    xdm La Coruña, Spain

    Hi Fabio,

    This is expected behavior, when you set IceSSL.CAs like this CA1 and CA2 are trusted anchors, and SecureTransport stops at the first trusted anchor, on Windows intermediate CAs are not treated as trusted anchors by default, and it continues up to the Root CA. This behavior is configurable in SChannel API with CERT_TRUST_IS_CA_TRUSTED but IceSSL doesn't set this flag.

    Ideally, IceSSL.CAs should only refer to the trusted root CAs, this is not intended for intermediate CAs that are not trusted anchors.


  • Hi Jose.

    That makes sense. Thanks for the explaining the difference in behavior.