Hello,
When I tested the OpenSSL SSL handshake process, I found that it is might be impossible to turn off some certificate extended usage checks while verifying certificate, I investigate the following part of source: In openssl/ssl/ssl_cert.c of OpenSSL 0.9.7 beta-2. int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) { ... if (s->server) i = X509_PURPOSE_SSL_CLIENT; else i = X509_PURPOSE_SSL_SERVER;
X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust); ... } The above part set the certificate purpose check option automatically, But I don’t know this above implementation is critical. I think it is more useful to use SSL_CTX_set_purpose() to turn on or off all extended usage check.
I always get smart answers from this mailing list, And all most my questions are from the little understanding of using the OpenSSL.
However, I hope to know how to turn off X509_PURPOSE_SSL_SERVER or X509_PURPOSE_SSL_CLIENT check options programmatically. Or why it is constrained like the above source.
In advance, Thank anyone for answering me.
J. H. Cha
|