Verifying certificate purpose
twirtgen opened this issue · comments
When establishing connection with a TLS server, I think X509_VERIFY_PARAM_set_purpose
does not check the right purpose.
Currently, when picotls is used as a client, the line:
Line 1235 in 80a2bbd
However, as I understand it, they have to check X509_PURPOSE_SSL_SERVER
instead, since the certificate has been sent by the server.
There were conversations about this in openssl/openssl#14199 (comment) (https://github.com/openssl/openssl/pull/14199/files#diff-c17351bdef7704fb7ac7fa0cf992ff9cf68167a1b66d7aa63670496c7af9a6a6R109) and in openssl/openssl#13965 (comment).
Thank you for reporting the issue!