> On May 31, 2018, at 6:08 PM, Sandeep Deshpande <sandeep.bvb@xxxxxxxxx> wrote: > > We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints.. > How do we go about it? > > I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate. In OpenSSL 1.0.2 CA certificates found in the trust store are not checked. This is fixed in 1.1.0. You can always implement a verify callback to apply additional constraints. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
