V1 certificates that aren't self signed can't be accepted as CAs.

author Dr. Stephen Henson <steve@openssl.org>

Fri, 3 Dec 2004 00:10:34 +0000 (00:10 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 3 Dec 2004 00:10:34 +0000 (00:10 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 3 Dec 2004 00:10:34 +0000 (00:10 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 3 Dec 2004 00:10:34 +0000 (00:10 +0000)
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c

index 8d0ebbeaef84e7c4f8cb86340738bdd35d401f95..a60d41bc243645aeabffc7e71534b13e632a66b5 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -441,8 +441,6 @@ static int check_ca(const X509 *x)
                 /* Older certificates could have Netscape-specific CA types */
                 else if (x->ex_flags & EXFLAG_NSCERT
                          && x->ex_nscert & NS_ANY_CA) return 5;
-               /* 2 means "I don't know...", which is legal for V1 and V2 */
-               else if (x->ex_flags & EXFLAG_V1) return 2;
                 /* can this still be regarded a CA certificate?  I doubt it */
                 return 0;
         }
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 3 Dec 2004 00:10:34 +0000 (00:10 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 3 Dec 2004 00:10:34 +0000 (00:10 +0000)