Hi,
# be checked against the DN of the issuer in # the client certificate. If the values do not # match, the cerficate verification will fail, # rejecting the user.
That's only for the client cert.
yes, I'm looking at it , i believe, the right way around - I have a remote RADSEC client talking to this server - so that remote server is a client...
(0) <<< TLS 1.0 Handshake [length 08b8], Certificate (0) chain-depth=1,
That's the issue: depth=1. If it was zero, then the check_cert_issuer code would apply.
Which certificate is being checked here? Where did it come from?
this is a straight forward cert that has been signed by the eduPKI system - no chained certificate IIRC (though a chained CA shouldnt be an issue either as many clients are signed by a CA that is chained to a CA....) <snip> Certificate: Data: Version: 3 (0x2) Serial Number: xxxxxxxxxx (0xxxxxxxxxx) Signature Algorithm: sha1WithRSAEncryption Issuer: DC=org, DC=edupki, CN=eduPKI CA G 01 Validity Not Before: Feb 28 08:29:05 2011 GMT Not After : Feb 27 08:29:05 2016 GMT Subject: DC=net, DC=geant, DC=eduroam, C=GB, O=Loughborough University, CN=server.lboro.ac.uk Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): <snip> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: <snip> X509v3 Authority Key Identifier: <snip> X509v3 Subject Alternative Name: DNS:server.lboro.ac.uk, email:removed@lboro.ac.uk X509v3 Certificate Policies: <snip> X509v3 CRL Distribution Points: URI:http://cdp.edupki.org/edupki-ca/pub/crl/cacrl.crl Authority Information Access: OCSP - URI:http://ocsp.edupki.org/OCSP-Server/OCSP CA Issuers - URI:http://cdp.edupki.org/edupki-ca/pub/cacert/cacert.crt I've removed some things for privacy/security...and other bits because I'm not too familiar with eduPKI policy on disclosure - eg OID policies... alan