[openssl-users] Rejecting SHA-1 certificates

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jul 12 05:23:10 UTC 2017

On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote:

> I don't think a state is really needed for this, if the callback
> simply checks if the certificate is in the loaded trust collection,
> and/or if it is self-signed (depending on the application's chosen
> root CA trust model).

Yes, though that too is complicated, e.g. DANE-TA(2) validation
often produces chains where none of the certs are in the local
store or self-signed.  And checking the trust stores for an
exact match takes some care...

The stateful approach is in some ways more elementary.


More information about the openssl-users mailing list