> On Dec 11, 2017, at 6:03 PM, Dr. Pala <madw...@openca.org> wrote:
>
> thanks :D I just tried to set it and I get a different error now : 22
> (certificate chain too long)... I suspect it is a side effect of using the
> X509_V_FLAG_PARTIAL_CHAIN flag... ? (no chain restrictions are set in the
> certificates themselves...), but I have not dug into the vfy code yet...
Perhaps you ended up creating a parameter structure with a
depth limit that's too small. Just configuring partial
chains will never yield a chain that is longer than it
otherwise would be. In fact you generally get shorter
chains. So, no this is not a result of using the
new flag, but may be a result of how you're going about
setting the flag.
> ... any suggestion on how to fix this ? Do you think it is actually a bug ?
> ... or am I missing some other configs / setting I should have done for the
> verify param ?
You should obtain a reference to the existing parameters
from the context, and modify these to add the new flag.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
