On Thu, 2017-04-06 at 18:22 +0200, Kai Engert wrote: > I would like to make you aware that the certificate validation of openssl isn't > as complete as in NSS. > > For example, NSS is able to handle the blacklisted/distrusted CAs, which have > been published by Mozilla, and are being made available as part of the ca- > certificates package, while I believe openssl isn't. > > In addition, a few CA distrust mechanisms have been implemented at the NSS code > level, and no equivalent mechanisms are currently being implemented at the > openssl level [1]. I don't believe this is accurate. There is an extended certificate format which OpenSSL will accept which allows you to indicate specific trust or *dis*trust of a given certificate for specific purposes. You could, I think, use this format to produce a certificate file which basically says "I distrust this CA certificate for all purposes". I wrote a bit about this at https://www.happyassassin.net/2015/01/16/openssl-trust-and-purpose/ . Corrections welcome, of course... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
