Add new "valid_flags" field to CERT_PKEY structure which determines what the certificate can be used for (if anything). Set valid_flags field in new tls1_check_chain function. Simplify ssl_set_cert_masks which used to have similar checks in it. Add new "cert_flags" field to CERT structure and include a "strict mode". This enforces some TLS certificate requirements (such as only permitting certificate signature algorithms contained in the supported algorithms extension) which some implementations ignore: this option should be used with caution as it could cause interoperability issues.
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index dad84dc..993f6e4 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c
@@ -3921,6 +3921,8 @@ allow = srvr; } + tls1_set_cert_validity(s); + for (i=0; i<sk_SSL_CIPHER_num(prio); i++) { c=sk_SSL_CIPHER_value(prio,i);