EKU handling question

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

EKU handling question

Ryan Hurst-3
Hello -

It has been some time since I visited these forums, I have searched for my answer in the forums but did not find an answer; I have not yet looked at the source to confirm behavior it is my hope that someone can easily answer a question relating to how an application based on OpenSSL would likely handle a specific case.

If I have a certificate chain with three certificates, a root, a subordinate ca and a leaf; there are no EKUs in the root, the client authentication EKU in the subordinate and server authentication EKU in the last leaf; in this chain will the final leaf be considered valid for server authentication?

My recollection is that the way the APIs are structured even the default behavior in this case is it entirely up to the application that incorporates OpenSSL to handle such checks.

Assuming that is the case if you know what mod_ssl does in this case I would love to know that answer as well.

BTW,  I know that RFC wise there is no requirement that EKUs be consistent throughput the chain but Windows has had a behavior to treat EKUs in a way similar to certificate policy and I am curious if openssl decided to do something similar.

Thanks in advance,