Hi everybody, OpenSSL 0.9.7b3 tells me "error=24 (invalid CA certificate)" in the verify_callback when I use a certificate chain where the CAs are X509 version 1 (i.e. they are missing the X509v3 extension that says that the CA certificate is good for signing other public keys). I checked the code and there is only one place that emits X509_V_ERR_INVALID_CA, in x509_vfy.c:396.
if (!X509_check_purpose(x, ctx->purpose, i)) { if (i) ctx->error = X509_V_ERR_INVALID_CA; else ctx->error = X509_V_ERR_INVALID_PURPOSE; Is there any reason, why a CA cannot have a version1 certificate? I also did not find an option to set on the SSL_CTX to allow CA with x509v1. Any idea ? Thanks a lot, Joerg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]