|Issue||BSAFE: SSL-C: transmit client cert only instead of the complete chain|
We'd like the client to only transmit the client cert. and not the complete chain (the server has the sub. CA and root CA in its trust store). What is the best method to ensure that only the client cert. is transmitted by SSL-C?
SSL-C does not support sending only the client cert. portion of the cert. chain. Since handshakes are generally a very small part of SSL communication, the bandwidth you might save should not be significant.
While SSL-C doesn't support removing the certificate chain from the client certificate, there are a couple of things you could try:
1. When you set the client certificate, don't include the certificate chain. (SSL-C can't send what it doesn't know about)
2. Use SSL_CTX_set_client_cert_cb to set a callback function that only returns the client certificate without the chain.
|Legacy Article ID||a51204|