Sfortunatamente SSLv1 non è ancora morto. OpenSSL supporta ancora v1 per i certificati root, ad es. in crypto/x509v3/v3_purp.c
. Attenzione, commento spaventoso avanti!
static int check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
if(x->ex_flags & EXFLAG_BCONS) {
if(x->ex_flags & EXFLAG_CA) return 1;
/* If basicConstraints says not a CA then say so */
else return 0;
} else {
/* we support V1 roots for... uh, I don't really know why. */
if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
/* If key usage present it must have certSign so tolerate it */
else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
/* Older certificates could have Netscape-specific CA types */
else if (x->ex_flags & EXFLAG_NSCERT
&& x->ex_nscert & NS_ANY_CA) return 5;
/* can this still be regarded a CA certificate? I doubt it */
return 0;
}
}