Stop setting X509_V_FLAG_IGNORE_CRITICAL

Since the last bump, libcrypto knows about the RFC 3779 extensions.
Therefore, setting X509_V_FLAG_IGNORE_CRITICAL is no longer needed.
In fact, we want to error on critical extensions neither rpki-client
nor libcrypto knows about.

On older LibreSSL versions with the default verify callback, this
causes verification failures. Implement a verify callback that
intercepts X509_V_ERR_UNHANDLED_CRITICAL_EXTENSIONS and checks that
the cert doesn't contain critical extensions not supported by libcrypto
other than the expected RFC 3779 extensions.

Tested with LibreSSL 3.3 and 3.4 on OpenBSD 6.9 and 7.0-stable by me
and with LibreSSL 3.2 on Linux by claudio.

input/ok claudio

0 files changed, 0 insertions, 0 deletions