** libgnutls: the gnutls_handshake() process will enforce a timeout by
default.
-** libgnutls: the verification flag GNUTLS_REQUIRE_KEY_PURPOSE_ON_INTERMEDIATE
-is introduced, and forces the application of the desired key purpose (extended
-key usage) into intermediate certificates. The verification result
+** libgnutls: if a key purpose (extended key usage) is specified for verification,
+it is applied into intermediate certificates. The verification result
GNUTLS_CERT_PURPOSE_MISMATCH is also introduced.
** libgnutls: Added support for the extended master secret
* using certificate revocation lists or the available OCSP data.
* @GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS: When including a hostname
* check in the verification, do not consider any wildcards.
- * @GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE: When verifying a certificate
- * and asking for a particular key purpose, require that any intermediate certificates
- * bear this key purpose as well. This is not enabled by default as this is not part
- * of RFC5280, but rather is an extension of CA Forum (baseline requirements 1.1.9).
*
* Enumeration of different certificate verify flags. Additional
* verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS()
GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1 << 10,
GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1 << 11,
GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12,
- GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE = 1 << 13
/* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */
} gnutls_certificate_verify_flags;
if (i - 1 < 0)
break;
- if (purpose != NULL && (flags & GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE)) {
+ if (purpose != NULL) {
ret = _gnutls_check_key_purpose(certificate_list[i], purpose, 1);
if (ret != 1) {
gnutls_assert();