When testing a certificate for its allowed purposes, I found:

$ for purpose in sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper
> do
> echo -n ${purpose}:
> openssl-0.9.8 verify -verbose -CAfile ca_chain.txt -purpose $purpose my.pem
> done

sslclient:my.pem: OK
sslserver:my.pem: OK
nssslserver:my.pem: OK
smimesign:my.pem: OK
smimeencrypt:my.pem: OK
crlsign:my.pem: /C=GB/O=Defer Test/OU=basic/CN=Martin Kraemer/emailAddress=martin@apache.org
error 26 at 0 depth lookup:unsupported certificate purpose
any:my.pem: OK
ocsphelper:my.pem: OK

For the case of the "crlsign" purpose, shouldn't openssl die with
a "non-OK" error, instead of printing an error, but finally "OK"?

| Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org