In message <rt-4.0.19-13376-1469461907-1144.4602-...@openssl.org> on Mon, 25 Jul 2016 15:51:47 +0000, "msa...@nikhef.nl via RT" <r...@openssl.org> said:
rt> On Mon, Jul 25, 2016 at 01:44:18PM +0000, Salz, Rich via RT wrote: rt> > I am not sure what to suggest. This conversation is bouncing across rt> > two ticket systems and is all about a legacy certificate format that rt> > is, what, outdated since 2002? rt> > I am hard-pressed to see why OpenSSL 1.1 has to do anything other than rt> > what Richard proposed. rt> rt> The two ticket systems is indeed annoying and I don't know what to do rt> about that (I did not start this thread) other than removing one of rt> them. One way is to exclude r...@openssl.org from your list of recipients ;-) (I just did, btw) I'm also taking away 829...@bugs.debian.org rt> The point is that if OpenSSL is providing a verification callback which rt> can be used to provide a custom verification of the cert chain, then it rt> should provide the necessary handles and the thing still missing from rt> what Richard proposed is a way to point to the failing certificate in rt> the chain. We can set the error, but not at which depth in the chain the rt> error occurred. rt> This in itself is not limited to our use-case but is a general API rt> request. Just for clarity, when I talk about the verification callback, I'm talking about verify_cb, settable with X509_STORE_CTX_set_verify_cb() If you're talking about something else, please correct me. By design, verify_cb is called for *each* certificate in the chain, and to allow the verification result for that certificate alone to be customized. current_cert, current_issuer, etc are meant as input for verify_cb, indicating which certificate in the chain the call of the callback is about. Why one would need to tamper with them from inside the verify_cb function escapes me... Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev