My understanding is that OpenSSL doesn't really use the "trusted certificate" system, which contains the information about what a certificate is trusted for. Further, the bits available for the Windows store don't have an isomorphic mapping within the trust parameters that OpenSSL provides.
Is there a spec on OpenSSL's "trusted certificate" architecture? Is there any guidance available on best practices to map from one to the other, or is that such a complex subject that it needs a full treatise? -Kyle H On Mon, Jan 11, 2010 at 4:38 PM, Dr. Stephen Henson <[email protected]> wrote: > On Mon, Jan 11, 2010, NARUSE, Yui wrote: > >> (2010/01/10 23:23), Shahin Khorasani wrote: >> > try this >> > (snip) >> >> Thanks, it works. >> >> >> So I request X509_STORE_set_default_paths call this. >> When this is merge, both Unix user and Windows user can use >> the system's default root certificates. >> >> I should file this to Request Tracker as a bug? (even if this is feature >> request) >> > > Some CryptoAPI handling code already exists in the CryptoAPI ENGINE and I'd > suggest that a ctrl for that would be the best place to put it. There are some > debug options already that can dump a whole store to standard output. > > However some additional code would be needed because that just adds the whole > store without any purpose setting code. This could cause security issues if > for example client certificate authorities are used for server signing for > example. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
