Question about handshake error
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Mar 11 18:46:57 UTC 2020
On Wed, Mar 11, 2020 at 06:06:44PM +0000, Matt Caswell wrote:
> > if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
> > return SSL_R_CA_MD_TOO_WEAK;
> > return 1;
> > }
>
> The exclusion comes in ssl_security_cert_sig - so I think OpenSSL
> behaves correctly:
>
> static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
> {
> /* Lookup signature algorithm digest */
> int secbits, nid, pknid;
> /* Don't check signature if self signed */
> if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
> return 1;
So I failed to look just one more layer down the call stack. :-(
Thanks for the sanity check.
--
Viktor.
More information about the openssl-users
mailing list