diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 14:26:53 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 14:26:53 +0000 |
commit | 484f8762352351598ffab55be6e6612891c291b7 (patch) | |
tree | 1f7fe7b1b30e2296b25c5cddacf2787568b86ad5 /ssl/s3_lib.c | |
parent | c70a1fee71119a9005b1f304a3bf47694b4a53ac (diff) |
Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.
Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
(backport from HEAD)
Diffstat (limited to 'ssl/s3_lib.c')
-rw-r--r-- | ssl/s3_lib.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 5e7c590ca1..ac70eaf966 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3911,6 +3911,8 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, allow = srvr; } + tls1_set_cert_validity(s); + for (i=0; i<sk_SSL_CIPHER_num(prio); i++) { c=sk_SSL_CIPHER_value(prio,i); |