[openssl-users] openssl is flexible when verifying

Yuting Chen chenyt at cs.sjtu.edu.cn
Sun Apr 5 20:55:50 UTC 2015


Hi, when I verify an X509 cert against a ca certificate, I found that the
cert can pass validation even if it has two instances of X509v3 Basic
Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some
issues are not important in verification. (I guess one reason is that one
subject key id is the same as the authority key id, and thus openssl may
regard it as a self-signed certificate? ) Should this be forbidden?
command:  openssl verify -x509_strict -verbose -CAfile  myroot.pem
mycert.pem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/4ace5ce9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: myroot.pem
Type: application/x-x509-ca-cert
Size: 1815 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/4ace5ce9/attachment-0002.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: myfile.pem
Type: application/x-x509-ca-cert
Size: 2612 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/4ace5ce9/attachment-0003.crt>


More information about the openssl-users mailing list