DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41123 ------- Additional Comments From [EMAIL PROTECTED] 2007-11-28 16:13 ------- It wasn't quite as bad as I originally though. The final verification step is the signature validation of each cert in the chain. So if that is successful the callback is called ok==1 for each cert in the chain. I thought that the chain went leaf to root which would have allowed arbitrary URIs from a bogus chain. Instead it goes root to leaf which isn't as bad but would allow a bogus EE cert to trigger chain validation because it isn't checked until the end. As things stand the current_issuer field of X509_STORE_CTX can be used to obtain the issuer cert. Think that was first added in OpenSSL 0.9.7. The only other case is when ok is set to 1 because it tolerates an earlier error. That could end up doing an OCSP (and CRL) check twice AFAICS. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
