On Wed Jul 20 16:58:20 2016, janj...@nikhef.nl wrote: > Hi Richard, > > On 20/07/16 17:14, Richard Levitte via RT wrote: > > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > >> I guess having a more restrictive accessor that only sets the > >> EXFLAG_PROXY bit could work. I suggested the more general solution > >> of > >> having set/clear accessors for arbitrary flags since it was - well > >> more > >> general. > > So let me ask this in a different manner, does OpenSSL 1.1 still not > > set the > > EXFLAG_PROXY flag correctly? In what situations does that happen? > > That may be > > worth a bug report of its own. > > > this ties into my earlier question and example of verifying proxy > certificates. What if I want to explicitly *set* the EXFLAG_PROXY for > a > stack of certificates?
I assume you only want that flag set for actual proxy certs a no other. If you simply want to make sure the certs in a stack are properly flagged by OpenSSL, call X509_check_purpose for each of them. > how would I do that? how can I ensure that > OpenSSL 1.1 will automagically trigger this flag for me? Is there a > 'get_*' function to determine which flags were set during certificate > verification? > > thanks for any pointers or advice, The function to retrieve the extension flags is X509_get_extension_flags(). You call that for each X509*. Incidently, this function calls X509_check_purpose to make sure the caches are properly built up... -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev