[EMAIL PROTECTED] - Thu Mar 11 08:22:37 2004]: > > > The patch below should be self explanitory, but just in case... > > There are several places where check_issued is called like: > > /* If we are self signed, we break */ > xn=X509_get_issuer_name(x); > if (ctx->check_issued(ctx,x,x)) break; > > if x is not self-signed, check_issued should return 0, and that is > what happens provided X509_V_FLAG_CB_ISSUER_CHECK is not set. > If X509_V_FLAG_CB_ISSUER_CHECK is used, we get spurious errors about > subject issuer missmatch, and a non-zero return which breaks the logic > above. > > Repeat using any valid cert which is not self signed and run > > openssl verify -issuer_checks cert.pem >
The flag X509_V_FLAG_CB_ISSUER_CHECK is not set by default and those "error" conditions are not sent to the verify callback because they need special handling. This could be a problem if an application wrongly sets the flag and has a verify callback returns none zero for such codes. However that's application error: I notice that the callback for the openssl applications mishandles it :-( I'll look into that. The reasoning behind that flag is that an application can use it for debugging or special handling purposes. But it isn't handled the same way as the normal error conditions so it isn't enabled by default. For debugging it could be used when a verify failed to determine *why* OpenSSL didn't regard a certificate as self signed. Special handling might involve a case where an application (for whatever reason) wants to specifically override the error and give OpenSSL the impression that a certificate is really self signed when the interal checks suggest it is not. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
