> On Jul 25, 2018, at 3:00 PM, Ken Goldman <kgold...@us.ibm.com> wrote:
>
>
> If you're suggesting that altering the above code to do the level check
> before the call to get pkey, I think that would fix my problem.
Yes, that's what I'm saying, but also asking the broader list for feedback
on such a change. Should security level zero succeed even with unsupported
EE keys (which somehow get used with some other software???).
> ... if I can set level to a negative value. How do I set level? Is there an
> API or a configuration file.
It does not need to be negative, the test is "<= 0", but the default is
in fact -1 (not set). There is indeed a function for setting a non-default
security level:
X509_VERIFY_PARAM_set_auth_level()
and it is documented.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
