Question about handshake error

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 11 18:46:57 UTC 2020


On Wed, Mar 11, 2020 at 06:06:44PM +0000, Matt Caswell wrote:

> >         if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
> >             return SSL_R_CA_MD_TOO_WEAK;
> >         return 1;
> >     }
> 
> The exclusion comes in ssl_security_cert_sig - so I think OpenSSL
> behaves correctly:
> 
> static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
> {
>     /* Lookup signature algorithm digest */
>     int secbits, nid, pknid;
>     /* Don't check signature if self signed */
>     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
>         return 1;

So I failed to look just one more layer down the call stack. :-(
Thanks for the sanity check.

-- 
    Viktor.


More information about the openssl-users mailing list