On 11/14/2016 02:16 PM, Andrew Zaborowski wrote:
The certificate chain from the Server Certificate message may be a
complete chain from server's certificate to root CA. l_keyring_link
would fail if we tried to add the self-signed root CA to the ring,
this seems to be unrelated to that certificate being the same as the
one in the trusted ring.
In the early userspace tls_cert_verify_certchain implementation the
verification would succeed if any of the certificates in the chain
was trusted by the supplied CA + the trust chain was correct, but the
RFC implies this must be the root CA (see the comment in the code).
ell/tls.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)