On 10/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote:
>
> It is always possible to have more than one certificate with the
> same subject name.
>
> Only the combination issuer name / serial number must be unique.
> (Last time I checked OpenSSL has problems with more than one CA
> certificate with the subject name...)
>
Depends. If SKID/AKID is used to disambiguate that case OpenSSL
should handle it properly. If not it will just use the first certificate
it encounters which may not be the right one.
Perhaps Goetz is unaware (like I was until a few days ago) that when
doing verification "by directory" that there can be multiple hash
files in the directory for different certificates with the same
DN/hash. (i.e., you can have a 084a349a.0 and a 084a349a.1 for two CA
certificates with the same DN, but with different serial numbers and
validity dates.)
I had never run across any documentation that said anything about a
number other than zero. I see now it is documented in
doc/ssl/SSL_CTX_load_verify_locations.pod
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
