hello,
I have a little question about "check_purpose_ssl_server"
and "check_purpose_ssl_client".
"check_chain_purpose" function calls "X509_check_purpose"
for all "untrusted" certificats in the chain.
This function calls a check_purpose function.
In "SSL_SERVER" (or "SSL_CLIENT") case,
"check_purpose_ssl_server" (or "check_purpose_ssl_client")
function verifies that, if "ExtendedKeyUsage" attribut is
set, it contents the "XKU_SSL_SERVER" or "XKU_SGC" (or
"XKU_SSL_CLIENT) attribut bit.
This test is meaningfull on the end user certificate but not
on the intermediaite CA certificat.
Do you agree ?
If so, it would be solution to invert the two first lines in
"check_purpose_ssl_server" and "check_purpose_ssl_client"
functions.
Regars,
Fran�oise
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
