Add new "valid_flags" field to CERT_PKEY structure which determines what
authorDr. Stephen Henson <steve@openssl.org>
Thu, 28 Jun 2012 12:45:49 +0000 (12:45 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 28 Jun 2012 12:45:49 +0000 (12:45 +0000)
commitd61ff83be977d9622b98f61a49ab3c1ca2db78a1
treef29721e92e40eb9efc2276e1f6efbb74c591ebce
parentbe681e123c3582f7bef18ed41b5ffa4793e8c4f7
Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
CHANGES
apps/s_server.c
ssl/s3_lib.c
ssl/ssl.h
ssl/ssl_cert.c
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/t1_lib.c