On 24/12/2013 11:58, Yann Ylavic wrote: > > According to > http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c48592955.2090...@velox.ch%3E, > the (great) analyse Kaspar made in 2008, the only parameters which > won't be renegotiated are SSLCACertificateFile/Path and > SSLCADNRequestFile/Path. > This is because of the lacking OpenSSL's SSL_set_cert_store() > function, which always seem to be the case with the latest versions > (AFAICT).
OpenSSL 1.0.2 and later will address this. It supports separate verification and chain building stores which can be set at the SSL_CTX or SSL level. See: http://www.openssl.org/docs/ssl/SSL_CTX_set1_verify_cert_store.html Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
