> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of > Jakob Bohm via openssl-users > Sent: Tuesday, June 11, 2019 08:19 > > On 11/06/2019 12:50, Hareesh D wrote: > > > > Is this behavior valid and according to RFC ? > > There's an overarching OpenSSL policy that certificate checks are > done exclusively by the relying end (for client certs, that's the > server), except when certified end is trying to choose from > multiple certificates. > > Thus with only one certificate available, the OpenSSL sends the > (untrusted, and in this case inappropriate) certificate, just in > case the server was somehow configured to make a special exception > for this particular case. Yes. I for one would argue this existing behavior (i.e. not enforcing every mandate of every applicable standard, at every step of the way) is the Right Thing to do. While it's good that OpenSSL is increasingly providing functionality to make it easier for applications to follow the RFCs and other standards, it's also very important that applications have the flexibility to violate some aspects of those standards. That is critical for interoperability with non-standard peers, as Jakob wrote, and for testing, among other things. -- Michael Wojcik Distinguished Engineer, Micro Focus