From: Stefan Traby <[EMAIL PROTECTED]> stefan> Even IE 5.01 supports at least 257 levels of nested CA's (tested, stefan> certs created by openssl after patching, the pkcs12-file was 216992 stefan> bytes large) and I guess that no standard suggests or enforces a stefan> nesting level limit of 9. (Stupid default: As long as it's possible to stefan> sign certs illegally (expiration time) the default limit should be higher). I can't quite understand why such nesting depths would be useful, and what it might have to do with illegal signing. I'm not trying to defend the limit of 9 levels, just curious... stefan> I'm now really surprised that openssl works at all, I see at bugs stefan> in frontend and backend there (honoring the fact that stefan> X509_STORE_CTX_get_error() after X509_verify_cert() returns stefan> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT which should be _clearly_ stefan> X509_V_ERR_CERT_CHAIN_TOO_LONG in that case). Please send a patch? -- Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pkcs12 segfaults if more than 9 CA's are nested
Richard Levitte - VMS Whacker Tue, 01 May 2001 21:18:44 -0700
