I checked some other certificates, and found that some non self-signed certificates having duplicate extension instances can be verified by openssl. I guess openssl is quite gentle when validating these malformed certificates.
On Sun, Apr 5, 2015 at 1:55 PM, Yuting Chen <che...@cs.sjtu.edu.cn> wrote: > Hi, when I verify an X509 cert against a ca certificate, I found that the > cert can pass validation even if it has two instances of X509v3 Basic > Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some > issues are not important in verification. (I guess one reason is that one > subject key id is the same as the authority key id, and thus openssl may > regard it as a self-signed certificate? ) Should this be forbidden? > command: openssl verify -x509_strict -verbose -CAfile myroot.pem > mycert.pem >
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
