Victor Duchovni writes:
Should we call not allowing CA certs with CA:FALSE or a Key Usage that
does not include certificate signing "less buggy", rather than "tougher"?
Sure :-).
Cheers,
Richard
-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsori
On Fri, Jul 08, 2005 at 10:52:47AM +0200, Richard Levitte wrote:
> Aleksey Sanin writes:
>
> >Thanks for quick response and explanations! You are right, the
> >second certificate in the chain did not have CA ext flag set and
> >0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem.
>
> Yu
Aleksey Sanin writes:
Thanks for quick response and explanations! You are right, the
second certificate in the chain did not have CA ext flag set and
0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem.
Yup, it's true, OpenSSL has become tougher on non-compliant CA certificates.
---
Thanks for quick response and explanations! You are right, the
second certificate in the chain did not have CA ext flag set and
0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem.
Very strange that I missed this till now :(
Thanks again,
Aleksey
Aleksey Sanin writes:
I run into "invalid CA certificate" (X509_V_ERR_INVALID_CA) error when I
was trying to
verify a third level certificates with OpenSSL 0.9.8. It seems that the
code in check_chain_extensions()
function in crypto/x509/x509_vfy.c file assumes that either certificate
must be di
I run into "invalid CA certificate" (X509_V_ERR_INVALID_CA) error when I
was trying to
verify a third level certificates with OpenSSL 0.9.8. It seems that the
code in check_chain_extensions()
function in crypto/x509/x509_vfy.c file assumes that either certificate
must be directly signed by CA
cert
