> [[email protected] - Mon Sep 12 10:31:50 2011]: > > Thank you for looking at the patch and reporting the problem > with it. I apologise that I did not test it properly. The path loop > test in the patch should of course be first whether the issuer is > in the chain and only if it is then whether it is lower than the > cert x i.e. >
The self signed check is clearly broken and I've committed this fix: http://cvs.openssl.org/chngview?cn=22200 I'm not sure why we need to do anything more than that. As I see it if the candidate issuer certificate is already in the chain we should always reject it as we never want to include duplicate certificates in the chain. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
