I checked some other certificates, and found that some non self-signed certificates having duplicate extension instances can be verified by openssl. I guess openssl is quite gentle when validating these malformed certificates. On Sun, Apr 5, 2015 at 1:55 PM, Yuting Chen <chenyt at cs.sjtu.edu.cn> wrote: > Hi, when I verify an X509 cert against a ca certificate, I found that the > cert can pass validation even if it has two instances of X509v3 Basic > Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some > issues are not important in verification. (I guess one reason is that one > subject key id is the same as the authority key id, and thus openssl may > regard it as a self-signed certificate? ) Should this be forbidden? > command: openssl verify -x509_strict -verbose -CAfile myroot.pem > mycert.pem > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/d50db80b/attachment.html>
