Reject certificates with unhandled critical extensions.

author: Dr. Stephen Henson <steve@openssl.org> 2001-10-21 02:09:15 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2001-10-21 02:09:15 +0000
commit: f1558bb4243d83781793ed758367bd71d0983a35 (patch)
tree: e1971f6bf6360b9cd2e1fad6ad8f77ed4b916063 /CHANGES
parent: 6ca487992bc63d45f9780c6b83eecf025830e34b (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 79ee3c82e4..94605d7ffd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,15 @@
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 
+  +) Test for certificates which contain unsupported critical extensions.
+     If such a certificate is found during a verify operation it is 
+     rejected by default: this behaviour can be overridden by either
+     handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
+     by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
+     X509_supported_extension() has also been added which returns 1 if a
+     particular extension is supported.
+     [Steve Henson]
+
   +) New functions/macros
 
           SSL_CTX_set_msg_callback(ctx, cb)
author	Dr. Stephen Henson <steve@openssl.org>	2001-10-21 02:09:15 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2001-10-21 02:09:15 +0000
commit	f1558bb4243d83781793ed758367bd71d0983a35 (patch)
tree	e1971f6bf6360b9cd2e1fad6ad8f77ed4b916063 /CHANGES
parent	6ca487992bc63d45f9780c6b83eecf025830e34b (diff)