Check certificate extensions in trusted certificates. - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	beck <>	2022-11-13 18:37:32 +0000
committer	beck <>	2022-11-13 18:37:32 +0000
commit	1c8142b1a8139993e81dbc7efd42da1e08a35df1 (patch)
tree	92c8eb7340d7ea5f92ee37794cea4b1cb98a4c26 /src/lib/libcrypto/dsa/dsa_gen.c
parent	4fb26602f2e5c0701783dcb35eb1b94cb55cbbea (diff)
download	openbsd-1c8142b1a8139993e81dbc7efd42da1e08a35df1.tar.gz openbsd-1c8142b1a8139993e81dbc7efd42da1e08a35df1.tar.bz2 openbsd-1c8142b1a8139993e81dbc7efd42da1e08a35df1.zip

Check certificate extensions in trusted certificates.

Historically the standards let the implementation decide to either check or ignore the certificate properties of trust anchors. You could either use them simply as a source of a public key which was trusted for everything, or you were also permitted to check the certificate properties and fully enforce them. Hooray for freedumb. OpenSSL changed to checking these with : commit 0daccd4dc1f1ac62181738a91714f35472e50f3c Author: Viktor Dukhovni <openssl-users@dukhovni.org> Date: Thu Jan 28 03:01:45 2016 -0500 BoringSSL currently does not check them, as it also inherited the previous OpenSSL behaviour. It will change to check them in the future. (https://bugs.chromium.org/p/boringssl/issues/detail?id=533)

Diffstat (limited to 'src/lib/libcrypto/dsa/dsa_gen.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: