[openssl-users] Certificate Verify and non-root Trust Anchors
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Dec 11 23:18:14 UTC 2017
> On Dec 11, 2017, at 6:03 PM, Dr. Pala <madwolf at openca.org> wrote:
>
> thanks :D I just tried to set it and I get a different error now : 22 (certificate chain too long)... I suspect it is a side effect of using the X509_V_FLAG_PARTIAL_CHAIN flag... ? (no chain restrictions are set in the certificates themselves...), but I have not dug into the vfy code yet...
Perhaps you ended up creating a parameter structure with a
depth limit that's too small. Just configuring partial
chains will never yield a chain that is longer than it
otherwise would be. In fact you generally get shorter
chains. So, no this is not a result of using the
new flag, but may be a result of how you're going about
setting the flag.
> ... any suggestion on how to fix this ? Do you think it is actually a bug ? ... or am I missing some other configs / setting I should have done for the verify param ?
You should obtain a reference to the existing parameters
from the context, and modify these to add the new flag.
--
Viktor.
More information about the openssl-users
mailing list