[openssl-users] openssl 1.1 certificate verification fails with non-standard public key algorithm

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jul 25 20:27:53 UTC 2018

> On Jul 25, 2018, at 3:00 PM, Ken Goldman <kgoldman at us.ibm.com> wrote:
> If you're suggesting that altering the above code to do the level check before the call to get pkey, I think that would fix my problem.

Yes, that's what I'm saying, but also asking the broader list for feedback
on such a change.  Should security level zero succeed even with unsupported
EE keys (which somehow get used with some other software???).

> ... if I can set level to a negative value.  How do I set level?  Is there an API or a configuration file.

It does not need to be negative, the test is "<= 0", but the default is
in fact -1 (not set).  There is indeed a function for setting a non-default
security level:


and it is documented.


More information about the openssl-users mailing list