Hi Andrew,

On 11/14/2016 02:16 PM, Andrew Zaborowski wrote:
> The certificate chain from the Server Certificate message may be a
> complete chain from server's certificate to root CA.  l_keyring_link
> would fail if we tried to add the self-signed root CA to the ring,
> this seems to be unrelated to that certificate being the same as the
> one in the trusted ring.
>
> In the early userspace tls_cert_verify_certchain implementation the
> verification would succeed if any of the certificates in the chain
> was trusted by the supplied CA + the trust chain was correct, but the
> RFC implies this must be the root CA (see the comment in the code).
> ---
>   ell/tls.c | 21 +++++++++++++++++----
>   1 file changed, 17 insertions(+), 4 deletions(-)
>

Applied, thanks.

Regards,
-Denis