Good day,
The following is a question re: openssl verify.
In the openssl docs, I have found that no chain verification is done if the
option -purpose is not set. I just checked with a few test cases (certs
from HTTPs server, chain length at least 3) and found that the output of
verify seems to
On Wed, Mar 09, 2011, Ralph Holz wrote:
Good day,
The following is a question re: openssl verify.
In the openssl docs, I have found that no chain verification is done if the
option -purpose is not set. I just checked with a few test cases (certs
from HTTPs server, chain length at least
Hi Steve,
On 9 March 2011 13:03, Dr. Stephen Henson st...@openssl.org wrote:
Am I correct in surveying that openssl verify uses a default of
sslserver
for -purpose?
No it just means that most certificates could (in theory) be use as SSL
server
certificates. If you had appropriate
On Wed, Mar 09, 2011, Ralph Holz wrote:
Hi Steve,
On 9 March 2011 13:03, Dr. Stephen Henson st...@openssl.org wrote:
Am I correct in surveying that openssl verify uses a default of
sslserver
for -purpose?
No it just means that most certificates could (in theory) be use as SSL
Hi,
No it just means that most certificates could (in theory) be use as SSL
server
certificates. If you had appropriate extensions restrictions (e.g.
extended
key usage or the deprecated netscape certificate type) you'd notice the
difference.
Thanks for the quick answer.
On Wed, Mar 09, 2011, Ralph Holz wrote:
Sorry again, but this is somewhat confusing. Your words seem to imply that
the correctness of the chain leading up to the root CA is indeed evaluated
(else why bother about the CA cert?). Yet the docs say about -purpose:
Without this option no chain