On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: > > I would expect such constraints to only apply when > > certificates are being *verified*. There seems to be > > little point in preventing a CA from attempting to sign > > violating certificates. > > Yes I later tried to "verify" and I still got no complaints.
As I said, the "verify" command only checks the trust chain, peer name verification, is not in scope. > > Does OpenSSL trust chain validation include any checks on name > > constraints? > > If there is an additional step that i need to apply for this verification to > happen then i don't know that and I'd appreciate if you detailing that please. > thanks. New code to support name constraints appears to be in OpenSSL 1.0.0. I don't believe this is present in any 0.9.x versions. Which version of OpenSSL are you using? -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org