We are creating certificates with a SAN URI containing a userinfo component:
X509v3 Subject Alternative Name:
URI:wireapp://username@xxxxxxxxxxx
This produces valid certificates until we add a name constraint limiting the permitted URI's:
X509v3 Name Constraints: critical
Permitted:
DNS:example.com
DNS:localhost
URI:example.com
URI:localhost
With this addition openssl verification fails with
error 47 at 0 depth lookup: permitted subtree violation
error cert.pem: verification failed
Shouldn't the userinfo component of an URI be ignored when applying URI name constraints?
openssl version: OpenSSL 1.1.1q 5 Jul 2022
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/9d3d9ed7-a7b6-4e26-9082-94edb64805d6n%40openssl.org.
