Hi Arjen,

On Mon, May 18, 2020 at 6:02 PM Arjen Nienhuis <ar...@zorgdoc.nl> wrote:
> I used PKCS7 because I did not know how to parse concatenated blobs.

Mathilde, how did we planned to use it? :)

> I think you should use SSL_get_peer_cert_chain because:
> - BoringSSL has no SSL_get0_verified_chain.
> - For debugging having all the certs is better. Especially if the chain
> is not valid.
> - In theory it's not always possible to do OCSP with the verified chain.
> OCSP is part of finding a valid chain. OpenSSL could choose a cert chain
> that doesn't pass OCSP while an other chain exists that can pass OCSP.

Thank you for your feedbacks.
Do you want to handle the changes? Otherwise we can handle them and
mention you as the original proposition in the commit message. As you
wish.

-- 
William

Reply via email to