Python SSL server to provide intermediate CA certificates -

i using python (2.7) ssl module write server code follows:

ssock = ssl.wrap_socket(sock, ca_certs="all-ca.crt", keyfile="server.key", certfile="server.crt", server_side=true, ssl_version=ssl.protocol_tlsv1)

the 'all-ca.crt' contains signing ca certificate , root ca certificate:

-----begin certificate----- ... (signing ca)... -----end certificate----- -----begin certificate----- ... (root ca)... -----end certificate----- 

the documentation python ssl module states:

in general, if using ssl3 or tls1, don’t need put full chain in “ca certs” file; need root certificates, , remote peer supposed furnish other certificates necessary chain certificate root certificate.

and experience having written ssl servers in c. doesn't seem work here though. if write client uses root certificate in wrap_socket() call:

csock = ssl.wrap_socket(sock, ca_certs="root-ca.crt", cert_reqs=ssl.cert_required, ssl_version=ssl.protocol_tlsv1)

then exception raised:

ssl.sslerror: [errno 1] _ssl.c:499: error:14094418:ssl routines:ssl3_read_bytes:tlsv1 alert unknown ca

if instead pass all-ca.crt client ca_certs argument, works expected, inconvenient @ client side , should not required.

is there way can tell server side needs provide intermediate ca certificates client on negotiation?

in server side, ca_certs option used verify client's certificate. (if cert_required set true, server ask client provides certificate).

in fact, ca's certificates in ca_certs not sent clients. server send own certificate clients. can put intermediate certificates , server's certificate server.crt. example, using

cat server.crt intermediate-ca.crt root-ca.crt > server-chain.crt

to produce chain.