> On May 3, 2017, at 5:58 AM, john gloster <glosterj9@xxxxxxxxx> wrote: > > Hi, > > I needed to validate different extensions of each of the Issuer certificate in the chain. > > Snippet rom https://linux.die.net/man/3/ssl_set_verify: > > "The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. " > > When we say "issuer attributes", could someone let me know what different stuffs in the CA certificate are validated? For the full verification process see: https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L208 which happens after checking that the peer's key meets the required security level at: https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L286 The specific chain checks you may be thinking of are: https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L448 -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users