OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Viktor,

Thank you for the response.

This is the code snippet from OpenSSL 1.0.2d.

int X509_verify_cert(X509_STORE_CTX *ctx) {

       ....................
       ....................
       ....................

        /* we now have our chain, lets check it... */
        i = check_trust(ctx);

        /* If explicitly rejected error */
        if (i == X509_TRUST_REJECTED)
            goto end;
}

This is code snippet from OpenSSL 1.0.1c

int X509_verify_cert(X509_STORE_CTX *ctx) {

       ....................
       ....................
       ....................
     /* The chain extensions are OK: check trust */

*if (param->trust > 0)* ok = check_trust(ctx);
}

I am talking about "*if (param->trust > 0)" *that seems to removed in
OpenSSL 1.0.2d.

Regards
Jayalakshmi


On Mon, Nov 16, 2015 at 1:26 AM, Viktor Dukhovni <openssl-users at dukhovni.org
> wrote:

> On Sun, Nov 15, 2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote:
>
> > In earlier version of OpenSSL  (i.e OpenSSL 1.0.1c)  X509_verify_cert
> had a
> > check * if (params->trust >0)* before invoking check_trust function.
>
> The OpenSSL source code is available via git:
>
>     https://github.com/openssl/openssl.git
>
> The branch containing 1.0.2c and 1.0.2d is "OpenSSL_1_0_2-stable".
>
> Can you point to the commit that makes the change in question?
>
> > This has been removed in OpenSSL 1.0.2d. Does it mean applications are
> > expected to set the X509_VERIFY_PARAM properly?
>
> I don't see any changes that match your description.
>
> --
>         Viktor.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151116/af8a4121/attachment-0001.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux