> > > Do not access members of the SSL object > (ssl->...) > > > directly, as these > > > structures may change. Please use the offical > API > > > SSL_get_peer_certificate(), > > > SSL_get_peer_cert_chain() to obtain the > > > X509 objects. You can then simply write them to > file > > > using the > > > PEM_write_X509()/PEM_write_bio_X509() function. > > > > I managed to the peer/server cert in my > > verify_callback in physical PEM file format, > using: > > X509_STORE_CTX_get_current_cert(); > > PEM_write_X509(); > > > > During subsequent authentication, I tried to load > the > > saved file (say filename.pem) using > > verify_load_location(,"filename.pem", NULL), > hoping > > that during client authentication with the same > server > > in future, server cert can be verified correctly > > against the saved file. However, it still > complains in > > verify_callback that peer cert by server is > untrusted. > > Ah! For the verification to succeed, you must > capture the CA chain > including the root certificate. OpenSSL's > verification routines by > now do not allow single peer certificates to be > handled. The chain > must always be complete. >
Thanks Lutz. I am working on client. Now I use X509_STORE_CTX_get_chain(ctx) in the verify_callback(,ctx), trying to store the server cert chain for future verification. However, the _get_chain() always return a stack with just one X509 object (st->num=1), which is the cert similar to X509_STORE_CTX_get_current_cert(). Is there anyway for me to extract the server/peer root certificate during verify_callback()? Anything that I overlooked? Thanks alot!! __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
