Since OpenSSL 3.0 a number of additional checks introduced to X509_verify_cert()
according to requirements in RFC 5280 in case X509_V_FLAG_X509_STRICT is set.
For example, the basicConstraints of CA certificates must be marked critical.
This checks cause verification failure for not well-formed certificates.
Having backward compatibility in mind, it's better to disable strict checking
than replacing all broken certificates in applications.
Change-Id: I8c6cb50be7c36ff7ef3d5c221dd4f066c2626be6
} else if (0 == X509_STORE_CTX_init(storeCtx.get(), store.get(), clientCert.get(), nullptr)) { // check this nullptr
ALOGD("X509_STORE_CTX_init failed");
} else {
- X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(storeCtx.get()), X509_V_FLAG_X509_STRICT);
status = X509_verify_cert(storeCtx.get()); // 1 == ok; 0 == fail; -1 == error
}