> On Jul 25, 2018, at 3:00 PM, Ken Goldman <kgoldman@xxxxxxxxxx> wrote: > > > If you're suggesting that altering the above code to do the level check before the call to get pkey, I think that would fix my problem. Yes, that's what I'm saying, but also asking the broader list for feedback on such a change. Should security level zero succeed even with unsupported EE keys (which somehow get used with some other software???). > ... if I can set level to a negative value. How do I set level? Is there an API or a configuration file. It does not need to be negative, the test is "<= 0", but the default is in fact -1 (not set). There is indeed a function for setting a non-default security level: X509_VERIFY_PARAM_set_auth_level() and it is documented. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
