Hi,
On 02-03-17 22:26, Gert Doering wrote:
> On Thu, Mar 02, 2017 at 09:36:32PM +0100, Steffan Karger wrote:
>> So, what I propose instead is:
>> * remove all the nsCertType code (except the option in add_option())
>> * update the help strings and man page to indicate that --ns-cert-type
>> is n
Hello,
On Sat, Mar 4, 2017 at 4:13 PM, Steffan Karger wrote:
> Hi,
>
> On 02-03-17 22:26, Gert Doering wrote:
>> On Thu, Mar 02, 2017 at 09:36:32PM +0100, Steffan Karger wrote:
>>> So, what I propose instead is:
>>> * remove all the nsCertType code (except the option in add_option())
>>> * upda
The nsCertType x509 extension is very old, and barely used. We already
have had an alternative for a long time: --remote-cert-tls uses the far
more common keyUsage and extendedKeyUsage extensions instead.
OpenSSL 1.1 longer exposes an API to (separately) check the nsCertType x509
extension. Sinc
On 04/03/17 16:13, Steffan Karger wrote:
> As a last resort, we could consider keeping the old code inside #if
> OSSL_VER < 1.1.0 in release/2.4, but that might just create more
> confusion...
Just a very quick thought here ... I do dislike different behaviours
depending on which OpenSSL version b
