On Tue, Jul 05, 2005, Martin Kraemer wrote:

> When testing a certificate for its allowed purposes, I found:
> $ for purpose in sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper
> > do
> > echo -n ${purpose}:
> > openssl-0.9.8 verify -verbose -CAfile ca_chain.txt -purpose $purpose my.pem
> > done

> sslclient:my.pem: OK
> sslserver:my.pem: OK
> nssslserver:my.pem: OK
> smimesign:my.pem: OK
> smimeencrypt:my.pem: OK
> crlsign:my.pem: /C=GB/O=Defer Test/OU=basic/CN=Martin Kraemer/emailAddress=martin@apache.org
> error 26 at 0 depth lookup:unsupported certificate purpose
> OK
> any:my.pem: OK
> ocsphelper:my.pem: OK
> For the case of the "crlsign" purpose, shouldn't openssl die with
> a "non-OK" error, instead of printing an error, but finally "OK"?

The 'verify' utility includes a callback which, after printing out the code
overrides all errors.

This is for debugging purposes so that all the errors a certficate chain would
produce can be printed out rather than halting on the first one.

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org