On Fri, 21 Nov 2003, Dr. Stephen Henson wrote: > Well yes except there's a broken certificate workaround in there... > > One rather important CA excludes basicConstraints in its "CA" certificate but > includes keyUsage+keyCertSign so it will tolerate this case.
Very broken certificate. Rather than me sifting through a hundred odd certificates, could you e-mail me off-line to let me know which one it is. Even the subject hash id would do! > If you just want a specific application to verify these certificates (and not > OpenSSL in general) then you could always override that error in the verify > callback or supply your own check_issuer routine (it is replacable). I've done something with a verify callback for now. If the certificates I'm communicating with are valid and not breaking the RFC, then obviously I'd rather OpenSSL handled them, but if it can't because of said important CA, then I'll concentrate on tighten up my application code in just these instances. > Do these certificates include SKID/AKID if so then relaxing the keyUsage check > if SKID==AKID would be a possibility. No, they're really a very basic self-signed cert, just with keyUsage flags excluding keyCertSign. - DR ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
