[openssl-users] openssl is flexible when verifying

Yuting Chen chenyt at cs.sjtu.edu.cn
Sun Apr 5 21:26:18 UTC 2015

I checked some other certificates, and found that some non self-signed
certificates having duplicate extension instances can be verified by
openssl. I guess openssl is quite gentle when validating these malformed

On Sun, Apr 5, 2015 at 1:55 PM, Yuting Chen <chenyt at cs.sjtu.edu.cn> wrote:

> Hi, when I verify an X509 cert against a ca certificate, I found that the
> cert can pass validation even if it has two instances of X509v3 Basic
> Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some
> issues are not important in verification. (I guess one reason is that one
> subject key id is the same as the authority key id, and thus openssl may
> regard it as a self-signed certificate? ) Should this be forbidden?
> command:  openssl verify -x509_strict -verbose -CAfile  myroot.pem
> mycert.pem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/d50db80b/attachment.html>

More information about the openssl-users mailing list