Thanks for the reply, Viktor.
Is it possible to keep searching for a valid certificate if the first
matching certificate was not valid?
Our customer claims that the NSS Mozilla didn't have this issue, so this
is considered a regression for us.
Best Regards,
-- misaki
On 10/21/2017 3:21 PM, Viktor Dukhovni wrote:
On Oct 21, 2017, at 11:20 AM, Misaki Miyashita <misaki.miyash...@oracle.com>
wrote:
We encountered a problem using OpenLDAP with OpenSSL when there were more than
one certificate with the same subject.
Does OpenSSL stop searching for a valid certificate when it finds a certificate
with matching DN?
Yes, when a matching issuer is found in the trust store, but is expired
no alternative certificates will be tested. You need to remove outdated
issuer certificates from your trust store before they expire.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
