Louis LeBlanc wrote:
>
>
> Maybe OpenSSL does it this way when it encounters a cert without a
> pathlen specified, but as I mentioned in an earlier message on this
> thread, Netscape (4.76?) for Linux (running on FreeBSD) seems to
> have a problem. Adding the pathlen was the final trick that made it
> work. Without the pathlen, I got
>
> "Certificate path length constraint is invalid."
>
> In a Netscape popup.
>
Well if the certificate is correctly encoded and pathlen is absent then
it should interpret it as unlimited. This is specified in a number of
places including RFC2459. If Netscape is doing otherwise then its a bug.
I haven't seen that popup you mention before. If this standard Netscape
4.76 or PSM? I'd like to reproduce it and report it at some point.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]