"Douglas E. Engert" wrote: > > Dr S N Henson wrote: > > > > "Douglas E. Engert" wrote: > > > > > > It does not appear there is any code in OpenSSL to make sure all critical > > > extensions are checked during a verify. This could be considered a bug. > > > The default behavior should be to reject any critical extensions which are > > > not understood. > > > > > > > There are also lots of things OpenSSL verify "should" do but it doesn't > > to work around various buggy certificates in common usage. > > > > I think if it followed the letter of RFC2459 it would create > > certificates which would crash a lot of software and reject at least > > half of the certificates in common usage. > > > > A flag could be added to the verify code to reject certificates with > > unsupported critical extensions or make that the default behaviour and a > > flag to tolerate certificates with unsupported critical extensions. > > Good idea, make the default to reject. This would then follow the spirit > of RFC2459. >
This functionality has been added to the development vesion of OpenSSL and will appear in OpenSSL 0.9.7. Let me know of any problems. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
