On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote:
> > I would expect such constraints to only apply when
> > certificates are being *verified*. There seems to be
> > little point in preventing a CA from attempting to sign
> > violating certificates.
>
> Yes I later tried to "verify" and I still got no complaints.
As I said, the "verify" command only checks the trust chain, peer name
verification, is not in scope.
> > Does OpenSSL trust chain validation include any checks on name
> > constraints?
>
> If there is an additional step that i need to apply for this verification to
> happen then i don't know that and I'd appreciate if you detailing that please.
> thanks.
New code to support name constraints appears to be in OpenSSL 1.0.0. I
don't believe this is present in any 0.9.x versions. Which version of
OpenSSL are you using?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
