Check certificate extensions in trusted certificates. - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	beck <>	2022-11-13 18:37:32 +0000
committer	beck <>	2022-11-13 18:37:32 +0000
commit	b10fff2d2486c7f66b4a443e8ad68ef2b2021928 (patch)
tree	92c8eb7340d7ea5f92ee37794cea4b1cb98a4c26 /src/lib/libcrypto/x509/x509_enum.c
parent	b2adf01da2682fbf7809dc301d850a728803bffd (diff)
download	openbsd-b10fff2d2486c7f66b4a443e8ad68ef2b2021928.tar.gz openbsd-b10fff2d2486c7f66b4a443e8ad68ef2b2021928.tar.bz2 openbsd-b10fff2d2486c7f66b4a443e8ad68ef2b2021928.zip

Check certificate extensions in trusted certificates.

Historically the standards let the implementation decide to either check or ignore the certificate properties of trust anchors. You could either use them simply as a source of a public key which was trusted for everything, or you were also permitted to check the certificate properties and fully enforce them. Hooray for freedumb. OpenSSL changed to checking these with : commit 0daccd4dc1f1ac62181738a91714f35472e50f3c Author: Viktor Dukhovni <openssl-users@dukhovni.org> Date: Thu Jan 28 03:01:45 2016 -0500 BoringSSL currently does not check them, as it also inherited the previous OpenSSL behaviour. It will change to check them in the future. (https://bugs.chromium.org/p/boringssl/issues/detail?id=533)

Diffstat (limited to 'src/lib/libcrypto/x509/x509_enum.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: