Hi Kurt,
> I was looking at return codes for applications making use of
> openssl functions and found this in x509.c:
> if (X509_verify(cert, key) == -1) {
> log_print("x509_cert_validate: self-signed cert is bad");
> return 0;
> }
>
> X509_verify returns the value of the ASN1_item_verify() call
> which normally returns 0 if the verification failed,
> but can also return -1 for some other error cases.
>
> I have no idea what this code is used for or what the
> consequences of this are.
I'm not at all an expert of openssl, but I think the code is correct
here. Current upstream
(http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/x509.c?rev=1.112)
also still has this:
X509_verify_cert() is used first to verify the certificate. Here,
all three cases (ret < 0, ret == 0, ret > 0) are handled. Only if
ret == 0 and the error indicates a self signed certificate and
"Accept-self-signed" is enabled in the configuration (which is a bad
idea anyhow), the self signed certificate is checked again using
X509_verify(). If I understand the code correctly, ret == 0 can't
happen here as a self signed certificate will always match its own
public key. So this function only checks for currupted certificates.
Thanks,
Jochen
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
