[openssl-users] Rejecting SHA-1 certificates
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jul 12 05:23:10 UTC 2017
On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote:
> I don't think a state is really needed for this, if the callback
> simply checks if the certificate is in the loaded trust collection,
> and/or if it is self-signed (depending on the application's chosen
> root CA trust model).
Yes, though that too is complicated, e.g. DANE-TA(2) validation
often produces chains where none of the certs are in the local
store or self-signed. And checking the trust stores for an
exact match takes some care...
The stateful approach is in some ways more elementary.
--
Viktor.
More information about the openssl-users
mailing list