In both 0.9.6c and 0.9.7-SNAP, the function "ssl_verify_alarm_type" in ssl/s3_both.c seems to be missing the newest x509 verification error codes, like X509_V_ERR_INVALID_PURPOSE, in the switch statment. If such a verification error is encountered, the switch will fall through and an "unknown ca" alert (SSL_AD_CERTIFICATE_UNKNOWN) will be returned, instead of SSL_AD_UNSUPPORTED_CERTIFICATE in this case. I can submit a patch, if anyone is interested.
Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
