1.0.2j
On Fri, Jun 1, 2018, 3:52 AM Viktor Dukhovni
wrote:
>
>
> > On May 31, 2018, at 6:08 PM, Sandeep Deshpande
> wrote:
> >
> > Hi Rich.. Thanks..
> > We want to add a check in our openssl library on client side to reject
> such server certificate which are generated by the intermediate CA
> On May 31, 2018, at 6:08 PM, Sandeep Deshpande wrote:
>
> We want to add a check in our openssl library on client side to reject such
> server certificate which are generated by the intermediate CA with missing
> extensions like basic constraints..
> How do we go about it?
>
> I looked
I don’t recall the details of 1.0.2, sorry. Maybe someone else on this list
knows the best place to insert your checks.
From: Sandeep Deshpande
Date: Thursday, May 31, 2018 at 6:08 PM
To: Rich Salz , openssl-users
Subject: Re: [openssl-users] Fwd: basic constraints check
Hi Rich.. Thanks
> On May 31, 2018, at 6:08 PM, Sandeep Deshpande wrote:
>
> Hi Rich.. Thanks..
> We want to add a check in our openssl library on client side to reject such
> server certificate which are generated by the intermediate CA with missing
> extensions like basic constraints..
> How do we go
Hi Rich.. Thanks..
We want to add a check in our openssl library on client side to reject such
server certificate which are generated by the intermediate CA with missing
extensions like basic constraints..
How do we go about it?
I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca
* We generated intermediate02 such that it has "basicConstraints" extension
and "keyUsage" missing. Now we used this intermediate 02 CA to sign server
certificate.
If those extensions, which are *optional,* are not present, then there is no
limit on how the keys may be used, or how long
Hi ,
We are using openssl 1.0.2j and have 3 level certificates like this.
root CA --> intermediate 01 CA-->intermediate02 CA -->Server certificate.
We generated intermediate02 such that it has "basicConstraints" extension
and "keyUsage" missing. Now we used this intermediate 02 CA to sign