----- Original Message ----- > From: Stephen Henson via RT <r...@openssl.org> > To: var...@yahoo.com > Cc: openssl-dev@openssl.org > Sent: Saturday, March 3, 2012 8:31 AM > Subject: [openssl.org #2751] [ENHANCEMENT] Request moving static > get_issuer_sk before X509_verify_cert > >> [var...@yahoo.com - Sat Mar 03 13:23:18 2012]: >> >> >> I'll submit another request related to why I want this done; but the >> move itself should be OK, I think. [I would like to be able to >> check the "trusted" store for any matching issuer when > building the >> client-verification chain. This is related to issues from Cross- >> Certification.] >> > > Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what > you want.
Yes, this is what I was looking at doing and very similar to how I was going to do it. Is there API support for this? E.g., to set from mod_ssl? I don't see anything, so I'm just reaching in through ctx->param to set it, but if there's a better/more proper way, I'd prefer to do it that way. Also, is this targetted for 1.0.2, I guess? and, would it be possible to back-port it to the 0.9.8 branch? I'd love to have, e,g,, RHEL5 pick it up natively. The patch should be attached... Thanks, Kevin
----- Original Message -----
> From: Stephen Henson via RT <r...@openssl.org>
> To: var...@yahoo.com
> Cc: openssl-dev@openssl.org
> Sent: Saturday, March 3, 2012 8:31 AM
> Subject: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert
>
>> [var...@yahoo.com - Sat Mar 03 13:23:18 2012]:
>>
>>
>> I'll submit another request related to why I want this done; but the
>> move itself should be OK, I think. [I would like to be able to
>> check the "trusted" store for any matching issuer when
> building the
>> client-verification chain. This is related to issues from Cross-
>> Certification.]
>>
>
> Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what
> you want.
Yes, this is what I was looking at doing and very similar to how I was going to do it. Is there API support for this? E.g., to set from mod_ssl? I don't see anything, so I'm just reaching in through ctx->param to set it, but if there's a better/more proper way, I'd prefer to do it that way.
> From: Stephen Henson via RT <r...@openssl.org>
> To: var...@yahoo.com
> Cc: openssl-dev@openssl.org
> Sent: Saturday, March 3, 2012 8:31 AM
> Subject: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert
>
>> [var...@yahoo.com - Sat Mar 03 13:23:18 2012]:
>>
>>
>> I'll submit another request related to why I want this done; but the
>> move itself should be OK, I think. [I would like to be able to
>> check the "trusted" store for any matching issuer when
> building the
>> client-verification chain. This is related to issues from Cross-
>> Certification.]
>>
>
> Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what
> you want.
Yes, this is what I was looking at doing and very similar to how I was going to do it. Is there API support for this? E.g., to set from mod_ssl? I don't see anything, so I'm just reaching in through ctx->param to set it, but if there's a better/more proper way, I'd prefer to do it that way.
Also, is this targetted for 1.0.2, I guess? and, would it be possible to back-port it to the 0.9.8 branch? I'd love to have, e,g,, RHEL5 pick it
up natively.
The patch should be attached...
Thanks,
Kevin
openssl-fips-0.9.8e-use-trusted.patch
Description: Binary data
