Hi Steve, thanks for the followup.
On Thu, 11 Mar 2004 14:33:55 +0100 (MET), "Stephen Henson via RT" writes: >The flag X509_V_FLAG_CB_ISSUER_CHECK is not set by default and those >"error" conditions are not sent to the verify callback because they need >special handling. And in the case where the purpose of the call was to see if x was self-signed (and it wasn't) there really isn't an "error" for the callback to be bothered with. So even if X509_V_FLAG_CB_ISSUER_CHECK is set, the callback should not be called - for the specific case of a call to check_issued with x == issuer, nor should an error be recorded. >This could be a problem if an application wrongly sets the flag and has >a verify callback returns none zero for such codes. However that's >application error: Yes, but its only an error that the application is not compensating for an error in the library. The libraray should be calling the callback for real "errors" only. >The reasoning behind that flag is that an application can use it for >debugging or special handling purposes. But it isn't handled the same Hmmm ok, the comment I read suggested its use was as a double check that the "issuer" found was indeed the correct one. But that does not imply that the app should expect its callback to be called for every cert - because it wasn't self-signed. >For debugging it could be used when a verify failed to determine *why* >OpenSSL didn't regard a certificate as self signed. Interesting, but gdb is a better tool in that case ;-) >Special handling might involve a case where an application (for whatever >reason) wants to specifically override the error and give OpenSSL the >impression that a certificate is really self signed when the interal >checks suggest it is not. An interesting notion, but a rather dangerous one esp if the implications of this flag are not clearly documented. As is, any callback that does not speficially check that it is being called for the case of issuer == x, and then go mucking with what should really be library internal data, is apt to make OpenSSL think it has a self-signed cert - when if fact it does not. All in all I think the current behavior is broken. Thanks --sjg ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
