On Tue, Nov 22, 2005 at 01:39:29PM -0000, Mark wrote:
> Hi,
>
> > It is still better to have a CA that signs certificates,
> > there are some
> > technical reasons in openssl,
> > it is simpler to program the trust checking, in fact with self signed
> > certs you need callbacks
> > to accept them, while with a "trusted" CA, you don't.
>
> This has put "a spanner in the works" for me. Can you point me to some
> code samples to handle this?
If I understand the question properly, you just need something which says;
int verify_callback(int ok,X509_STORE_CTX *s)
{
int err=X509_STORE_CTX_get_error(s);
if (ok)
{
return(1);
}
else
{
X509 *err_cert=X509_STORE_CTX_get_current_cert(s);
char buf[1000];
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
cerr << buf << endl;
cerr << "error with certificate - error "
<< err << ", "
<< X509_verify_cert_error_string(err) << " at depth "
<< X509_STORE_CTX_get_error_depth(s)
<< endl;
return(1);
}
}
And you point your verify store at it using X509_STORE_set_verify_cb_func.
I'm not sure what the rationale behind needing to supply this is -- it
doesn't really do anything clever, but if it's not there, verification
fails saying "self-signed certificate".
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
