Hello,
My company is setting up a B2Bi integration network. As an optional part of
this, we would like to use x509 certificate based client and server
authentication.
We found out that the typical server certificates we and our clients buy
from Verisign have a specified purpose of 'SSL Server'.
When we try to use the same certificate to authenticate one server to
another server, modssl/openssl rejects the certificate from the client side,
saying '[error] Certificate Verification: Error (26): unsupported
certificate purpose'
We could not find a way to get a certificate from Verisign which is valid as
both a server and a client.
We would rather not become a certificate issuer ourselves.
How do people solve the issue of mutual certificate based authentication?
Is there a way to turn off the certificate purpose in modssl/openssl without
changing the source code?
What kinds of security holes are we likely to run into if we try to turn off
the check for certificate purpose?
Regards.
Sumit
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
