I composed a reply w/ questions early today, but still not shown on web. So I doubt the msg got lost. Sorry if the msg repeated.
Thanks much, Lutz. > Do not access members of the SSL object (ssl->...) > directly, as these > structures may change. Please use the offical API > SSL_get_peer_certificate(), > SSL_get_peer_cert_chain() to obtain the > X509 objects. You can then simply write them to file > using the > PEM_write_X509()/PEM_write_bio_X509() function. I managed to the peer/server cert in my verify_callback in physical PEM file format, using: X509_STORE_CTX_get_current_cert(); PEM_write_X509(); During subsequent authentication, I tried to load the saved file (say filename.pem) using verify_load_location(,"filename.pem", NULL), hoping that during client authentication with the same server in future, server cert can be verified correctly against the saved file. However, it still complains in verify_callback that peer cert by server is untrusted. Then, for a test, I exported a trusted root cert signed by the same server CA, and use verify_load_location with this new trusted root cert. (saved in a disk and copy to client.) During authentication, peer cert from server can now be verified correctly. So, my question is: what other info from the server/peer cert that I should saved as physical file, so that I can use it to verify against the same server cert to make it trusted ? There must be some simple thing that I am ignorant of, and hopefully your expertise helps. Thanks you very much for any guidance. __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
