On Tue, Dec 24, 2013 at 1:50 PM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote:
> On 24/12/2013 11:58, Yann Ylavic wrote: > > > > According to > http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c48592955.2090...@velox.ch%3E > , > > the (great) analyse Kaspar made in 2008, the only parameters which > > won't be renegotiated are SSLCACertificateFile/Path and > > SSLCADNRequestFile/Path. > > This is because of the lacking OpenSSL's SSL_set_cert_store() > > function, which always seem to be the case with the latest versions > > (AFAICT). > > OpenSSL 1.0.2 and later will address this. It supports separate > verification and > chain building stores which can be set at the SSL_CTX or SSL level. See: > > http://www.openssl.org/docs/ssl/SSL_CTX_set1_verify_cert_store.html > Thanks for the pointer. Regards, Yann.
