Re: Misunderstanding openssl verify

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 16 Aug 2021 16:30:05 +0200,
Ken Goldman wrote:
> 
> On 8/16/2021 10:04 AM, Viktor Dukhovni wrote:
> >> It seems as though the 'verify' command checks the issuer,
> >> but not the signature of the certificate - the last parameter.
> >
> > As documented.
> 
> Then I am not understanding the documentation.
> 
> https://www.openssl.org/docs/man1.1.1/man1/verify.html
> 
> says
> 
> "The final operation is to check the validity of the certificate chain.
> ...
>  The certificate signature is checked as well "
> 
> However. my experience is that the certificate signature is not
> checked.  I can hand modify the validity, public key, or
> signature, but the command still returns "OK".

The documentation on '-check_ss_sig' finishes with this:

"... This verification is disabled by default because it doesn't add
any security."

I'm sure this can be debated, but that's at least an explanation.

Cheers,
Richard

-- 
Richard Levitte         levitte@xxxxxxxxxxx
OpenSSL Project         http://www.openssl.org/~levitte/



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux