Hi,
I'm facing an annoying issue during a PKI deployment and integration within an organization.
The CA is created with the authority key identifier set as a critical extension.
OpenSSL (including 0.9.7g) chokes (voluntarily) on critical extensions and as a default issue an error such as "Certificate Verification: Error (34): unhandled critical extension"
The piece of code involved is in crypto/x509/x509_vfy.c::check_chain_purpose
if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; }
There is the flag X509_V_FLAG_IGNORE_CRITICAL which can be set when creating the SSL context, unfortunately, mod_ssl does not support any options related to context flags in its configuration, thus it of course fails during authentication with the message above.
Is there any interest in adding SSL context options to mod_ssl, and if yes, what is the recommended way if it has been thought ?
Its a pretty dumb idea to ignore critical extensions, so I don't think this sounds like a great idea...
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
