> On May 31, 2018, at 6:08 PM, Sandeep Deshpande <sandeep.bvb@xxxxxxxxx> wrote: > > Hi Rich.. Thanks.. > We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints.. > How do we go about it? > > I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate. Are you using OpenSSL 1.1.0 or OpenSSL 1.0.2? -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
