Hi everybody,
OpenSSL 0.9.7b3 tells me "error=24 (invalid CA certificate)" in the
verify_callback when I use a certificate chain where the CAs are X509
version 1 (i.e. they are missing the X509v3 extension that says that
the CA certificate is good for signing other public keys).
I checked the code and there is only one place that emits
X509_V_ERR_INVALID_CA, in x509_vfy.c:396.
if (!X509_check_purpose(x, ctx->purpose, i))
{
if (i)
ctx->error = X509_V_ERR_INVALID_CA;
else
ctx->error = X509_V_ERR_INVALID_PURPOSE;
Is there any reason, why a CA cannot have a version1 certificate? I
also did not find an option to set on the SSL_CTX to allow CA with x509v1.
Any idea ? Thanks a lot,
Joerg
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
