Hello openSSL gurus, I faced an issue of pathlen constraint checking by openSSL when verifying the client certificate. I did few studies for how openSSL does that and I appreciate your assistance on clarifying the issue.
1. The certificate chain with a pathlen constraint defined in a root CA: Root CA, pathlen:1 \ policy CA, pathlen:none \ issuer CA, pathlen:none \ client certificate In the first case openSSL does not verify the certificate correctly (i.e. the verification succeeds). It ignores the pathlen constraint defined in the root CA. 2. The certificate chain with a pathlen constraint defined in an intermediate CA: Root CA, pathlen:none \ policy CA, pathlen:0 \ issuer CA, pathlen:0 \ client certificate In the last case openSSL does correct verification (i.e. fails the client certificate) only when I define the intermediate CAs as "untrusted". Is that supposed way the pathlen constraint works? Is it allowed to define the pathlen constraint in the root CA? I'm using openSSL 0.9.8r. Many thanks, Sergey Emantayev ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
