Add new "valid_flags" field to CERT_PKEY structure which determines what

the certificate can be used for (if anything). Set valid_flags field in new tls1_check_chain function. Simplify ssl_set_cert_masks which used to have similar checks in it. Add new "cert_flags" field to CERT structure and include a "strict mode". This enforces some TLS certificate requirements (such as only permitting certificate signature algorithms contained in the supported algorithms extension) which some implementations ignore: this option should be used with caution as it could cause interoperability issues. (backport from HEAD)
author: Dr. Stephen Henson <steve@openssl.org> 2012-12-26 14:26:53 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-12-26 14:26:53 +0000
commit: 484f8762352351598ffab55be6e6612891c291b7 (patch)
tree: 1f7fe7b1b30e2296b25c5cddacf2787568b86ad5 /ssl/s3_lib.c
parent: c70a1fee71119a9005b1f304a3bf47694b4a53ac (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 5e7c590ca1..ac70eaf966 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3911,6 +3911,8 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		allow = srvr;
 		}
 
+	tls1_set_cert_validity(s);
+
 	for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
 		{
 		c=sk_SSL_CIPHER_value(prio,i);
author	Dr. Stephen Henson <steve@openssl.org>	2012-12-26 14:26:53 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-12-26 14:26:53 +0000
commit	484f8762352351598ffab55be6e6612891c291b7 (patch)
tree	1f7fe7b1b30e2296b25c5cddacf2787568b86ad5 /ssl/s3_lib.c
parent	c70a1fee71119a9005b1f304a3bf47694b4a53ac (diff)