[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
Jayalakshmi bhat
bhat.jayalakshmi at gmail.com
Mon Nov 16 05:14:05 UTC 2015
Hi Viktor,
Thank you for the response.
This is the code snippet from OpenSSL 1.0.2d.
int X509_verify_cert(X509_STORE_CTX *ctx) {
....................
....................
....................
/* we now have our chain, lets check it... */
i = check_trust(ctx);
/* If explicitly rejected error */
if (i == X509_TRUST_REJECTED)
goto end;
}
This is code snippet from OpenSSL 1.0.1c
int X509_verify_cert(X509_STORE_CTX *ctx) {
....................
....................
....................
/* The chain extensions are OK: check trust */
*if (param->trust > 0)* ok = check_trust(ctx);
}
I am talking about "*if (param->trust > 0)" *that seems to removed in
OpenSSL 1.0.2d.
Regards
Jayalakshmi
On Mon, Nov 16, 2015 at 1:26 AM, Viktor Dukhovni <openssl-users at dukhovni.org
> wrote:
> On Sun, Nov 15, 2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote:
>
> > In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert
> had a
> > check * if (params->trust >0)* before invoking check_trust function.
>
> The OpenSSL source code is available via git:
>
> https://github.com/openssl/openssl.git
>
> The branch containing 1.0.2c and 1.0.2d is "OpenSSL_1_0_2-stable".
>
> Can you point to the commit that makes the change in question?
>
> > This has been removed in OpenSSL 1.0.2d. Does it mean applications are
> > expected to set the X509_VERIFY_PARAM properly?
>
> I don't see any changes that match your description.
>
> --
> Viktor.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151116/af8a4121/attachment-0001.html>
More information about the openssl-users
mailing list