On Wed, Mar 09, 2011, Ralph Holz wrote: > Good day, > > The following is a question re: openssl verify. > > In the openssl docs, I have found that "no chain verification is done if the > option "-purpose is not set". I just checked with a few test cases (certs > from HTTPs server, chain length at least 3) and found that the output of > verify seems to be the same regardless whether the option is set (to > "sslserver") or not set. > > Am I correct in surveying that openssl verify uses a default of "sslserver" > for -purpose? >
No it just means that most certificates could (in theory) be use as SSL server certificates. If you had appropriate extensions restrictions (e.g. extended key usage or the deprecated netscape certificate type) you'd notice the difference. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
