On Thu, Jun 03, 2010, Victor Duchovni wrote: > On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote: > > > Hodie III Non. Iun. MMX, Victor Duchovni scripsit: > > > On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: > > > > > > > > I would expect such constraints to only apply when > > > > > certificates are being *verified*. There seems to be > > > > > little point in preventing a CA from attempting to sign > > > > > violating certificates. > > > > > > > > Yes I later tried to "verify" and I still got no complaints. > > > > > > As I said, the "verify" command only checks the trust chain, peer name > > > verification, is not in scope. > > > > It could fail to validate the chain, given the fact that the extension > > is set critical, and not handled, even if recognized. > > This is what the 1.0.0 version in fact does, but it also (as I just > learned) supports name constraints. The 0.9.8 version of the verify(1) > command-line utility does not check critical extensions: > > if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; > > The API raises the error, but verify(1) does not report it. In 1.0.0 > there is a new command-line switch to ignore critical extensions. >
The verify utility is designed to continue where possible for debugging purposes. It should report the error via the callback and carry on. OpenSSL 0.9.8 also includes an option to ignore critical extensions: -ignore_critical Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
