[openssl-users] Fwd: basic constraints check
Viktor Dukhovni
openssl-users at dukhovni.org
Thu May 31 22:38:26 UTC 2018
> On May 31, 2018, at 6:08 PM, Sandeep Deshpande <sandeep.bvb at gmail.com> wrote:
>
> We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints..
> How do we go about it?
>
> I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate.
In OpenSSL 1.0.2 CA certificates found in the trust store
are not checked. This is fixed in 1.1.0.
You can always implement a verify callback to apply additional
constraints.
--
Viktor.
More information about the openssl-users
mailing list