X509_V_ERR_EC_KEY_EXPLICIT_PARAMS after upgrading from 1.1.1 to 3.0.2 #20117
Comments
t8m
added
triaged: question
|
Yes, this is intentional. Explicit curve parameters are dangerous. The verification error can be dismissed if the application registers a verification callback. |
|
I had an impression that explicit curve parameters have been deprecated and are dangerous in TLS context. Do you know whether it is possible to define such callback outside TLS/SSL use case? I.e., when using X509_STORE to verify certificate chain? Thanks! |
|
Yes, you set the verify callback on the X509_STORE_CTX by the X509_STORE_CTX_set_verify_cb() function. Please see the manual pages. |
t8m
added
the
resolved: answered
|
Thanks! |
That is very unlikely to happen. I'd recommend asking PyOpenSSL to implement the verification callback functionality. That callback is useful in other scenarios too. |
This is not possible when verifying a CMS SignedData structure using CMS_verify as it does not expose the X509_STORE_CTX used. |
It exposes X509_STORE and there is an equivalent X509_STORE_set_verify_cb() for X509_STORE. |
Thanks, I was looking for that but somehow missed it. |
|
Closing since this is marked as resolved. |
After upgrading from OpenSSL v1.1.1 to 3.0.2 (Ubuntu 22.04) I get error "X509_V_ERR_EC_KEY_EXPLICIT_PARAMS" when verifying end-entity certificates that have explicit curve parameters (ICAO eMRTD certificates have them).
In the source code I see that in v1.1.1 the check was enforced only in the strict mode, but in v3.0.2 it is applied always and there is no way to opt out.
The text was updated successfully, but these errors were encountered: