On Thu, Jun 04, 2009, Brad Mitchell wrote: > If that's the case then I don't see why openssl shouldn't know about these > extensions. Especially if they have been in certificates since Windows 2003 > at the very least.... >
"Knowing about" an extension is one thing, deciding what to do with it is another thing entirely. That's why RFC5280 et al have the strict language they do. If an extension is critical the CA is saying "you MUST understand what this bit means and do the right thing". They have decided that the extension provides critical information about the certificate and just ignoring it is not appropriate. The "do the right thing" bit needs documentation about how the extension is encoded and how it should be processed. Doing that properly needs additional code. BTW there *is* a callback of sorts for this: the standard verification callback is usable. It's a little more awkward because it doesn't tell you what extension it is objecting to. You could however examine the errant certificate for critical extensions and return "OK" if it contained internally supported extensions and any extra critical ones you want the application to process. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
