Am 18.02.15 um 13:19 schrieb Stephan Mühlstrasser:
Unfortunately the "-no_explicit" command line option is not documented: https://www.openssl.org/docs/apps/ocsp.html What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the "-no_explicit" command line option. What exactly is checked by the X509_check_trust() call above with respect to the relevant RFCs?
As there is no documentation and as noone seems to know the meaning of the -no_explicit for "openssl ocsp", should I file a documentation defect in RT for that?
If I understand the code in OCSP_basic_verify() that is depending on the OCSP_NOEXPLICIT flag correctly, it checks the root CA for the presence of the OCSPSigning flag in the extended key usage field. I could not find anything in RFC 6960 and RFC 2560 that would mandate such a check for the root CA certificate. Only the OCSP signing certificate must have OCSPSigning in the extended key usage field.
So maybe it is even a bug in the code itself? -- Stephan _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
