generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update from 0.9.8-stable.

Browse Source
This commit is contained in:
Dr. Stephen Henson
2009-06-15 15:01:00 +00:00
parent 512cab0128
commit 31db43df08
2 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
crypto/x509/x509_vfy.c
View File

@@ -1609,7 +1609,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
while (n >= 0)
{
ctx->error_depth=n;
if (!xs->valid)
/* Skip signature check for self signed certificates. It
* doesn't add any security and just wastes time.
*/
if (!xs->valid && xs != xi)
{
if ((pkey=X509_get_pubkey(xi)) == NULL)
{
@@ -1619,13 +1623,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
if (!ok) goto end;
}
else if (X509_verify(xs,pkey) <= 0)
/* XXX For the final trusted self-signed cert,
* this is a waste of time. That check should
* optional so that e.g. 'openssl x509' can be
* used to detect invalid self-signatures, but
* we don't verify again and again in SSL
* handshakes and the like once the cert has
* been declared trusted. */
{
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert=xs;