On Fri, Sep 22, 2000 at 07:12:15PM +0100, Dr S N Henson wrote:
> Well the point of that stuff is to allow a log of all the extra checks
> being made. Things that were tolerated before (such as mismatched key
> ids) are not tolerated now.
>
> The callback will not be called with those extra checks unless the flag
> X509_V_FLAG_CB_ISSUER_CHECK is set because a callback
> *really* needs to know what it is doing if it is going to override the
> issuer and subject certificate mismatch errors.
>
> However I think on reflection it should go one step further and not
> set the error condition at all for these informational errors unless
> the flag is set. That way it should be largely compatible with the
> old behaviour. Fortunately that is a trivial change.
That would meet my analysis. It is a good decision to reject issuer
certificates that don't match the requirements, but not set this error
flag. If we don't find a matching one, we will get the NOT_FOUND error
condition and that is a real error that does make sense.
[I actually think that by now I finally understand how this verify_callback
thing really has to work, but I won't be able to write this manual page
before 0.9.6 release date..]
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
