generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add new "valid_flags" field to CERT_PKEY structure which determines what

Browse Source 
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
This commit is contained in:
Dr. Stephen Henson
2012-06-28 12:45:49 +00:00
parent be681e123c
commit d61ff83be9
8 changed files with 258 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/s3_lib.c
View File

@@ -3921,6 +3921,8 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
allow = srvr;
}
tls1_set_cert_validity(s);
for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
{
c=sk_SSL_CIPHER_value(prio,i);