Hello,
I have integrated OpenSSL in a small client/server prototype recently
and I've been left wondering about two issues I've encountered.
1. I have successfully created a certificate signed by an expired
certificate authority. Maybe there is some edge use case where this
kind of behaviour can be required, but shouldn't OpenSSL throw an
error when signing with an expired autority? And then, in order to
accomodate edge use cases allow an additionnal parameter to ignore
such an error?
2. I have successfully established a connection with a server using
the certificate I mentionned above : the certificate signed by an
expired autority. Why does the default behavior allow me to establish
such a connection without any warning? It would be much more secure to
raise an error in such a case and require explicit approval through
some parameter to overlook the issue with the server's certificate.
Thanks for your insight on these issues!
-Gabriel Aubut-Lussier
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
