diff options
author | tb <> | 2025-07-01 06:46:39 +0000 |
---|---|---|
committer | tb <> | 2025-07-01 06:46:39 +0000 |
commit | 9503d6ced5738f84fb45b1da3bdb9db4f7db4fc3 (patch) | |
tree | 6feef260a9528776ed1649d160bffbd99a8e3ad0 /src/lib/libtls/man/tls_accept_socket.3 | |
parent | b4547e972ef9a339486e56625399a1d7a9fa22e5 (diff) | |
download | openbsd-9503d6ced5738f84fb45b1da3bdb9db4f7db4fc3.tar.gz openbsd-9503d6ced5738f84fb45b1da3bdb9db4f7db4fc3.tar.bz2 openbsd-9503d6ced5738f84fb45b1da3bdb9db4f7db4fc3.zip |
X509_print: emit UIDs unless X509_FLAG_NO_IDS is set
issuerUID and subjectUID are a curiosity introduced in X.509v2 before
extensions were a thing. Their purpose is to help distinguishing certs
with identical subject. They are rarely used and are MUST NOT use in
the CA/BF baseline requirements. They do occasionally show up in test
certificates and it is confusing that openssl x509 silently ignores
them. Their encoding also makes them relatively hard to spot in the
output of asn1 parsing tools.
The output is identical to OpenSSL < 3 and BoringSSL, but due to some
weird tweaks added leading up to OpenSSL 3 their output is no longer
compatible with that. It is not entirely correct anyway. Since it is
a (not further specified) bit string, you shouldn't be ignoring its
unused bits...
The X509_FLAG_NO_IDS flag has no effect for CSRs.
discussed with beck
ok job kenjiro (on an earlier version)
Diffstat (limited to 'src/lib/libtls/man/tls_accept_socket.3')
0 files changed, 0 insertions, 0 deletions