On Wed, Mar 09, 2011, Ralph Holz wrote: > Hi Steve, > > On 9 March 2011 13:03, Dr. Stephen Henson <[email protected]> wrote: > > > > Am I correct in surveying that openssl verify uses a default of > > "sslserver" > > > for -purpose? > > > > > > > No it just means that most certificates could (in theory) be use as SSL > > server > > certificates. If you had appropriate extensions restrictions (e.g. extended > > key usage or the deprecated netscape certificate type) you'd notice the > > difference. > > > > Thanks for the quick answer. Still, does this mean that if I don't use > -purpose at all, the certification chain would be still be evaluated > normally, just without checking for certificate purpose? Because the way the > docs say it, I would have concluded chain evaluation is not done at all - > yet it seems to happen. >
It just checks CA certificates are valid using basicConstrainsts and keyUsage extensions. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
