Move leaf certificate checks to the last thing after chain validation. - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	beck <>	2022-06-25 20:01:43 +0000
committer	beck <>	2022-06-25 20:01:43 +0000
commit	e9036ffdef0c2cfa078cbb4d5452bcdbf2133de1 (patch)
tree	a057ee19ce4f7b27f7b8864ab578d7746ac590e9 /src/lib/libcrypto/x509/x509_constraints.c
parent	e7c01c7656fec8f4cafec5c7e584756ae4af7804 (diff)
download	openbsd-e9036ffdef0c2cfa078cbb4d5452bcdbf2133de1.tar.gz openbsd-e9036ffdef0c2cfa078cbb4d5452bcdbf2133de1.tar.bz2 openbsd-e9036ffdef0c2cfa078cbb4d5452bcdbf2133de1.zip

Move leaf certificate checks to the last thing after chain validation.

While seemingly illogical and not what is done in Go's validator, this mimics OpenSSL's behavior so that callback overrides for the expiry of a certificate will not "sticky" override a failure to build a chain. ok jsing@

Diffstat (limited to 'src/lib/libcrypto/x509/x509_constraints.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: