Hi Goetz, > >> * On server: > >> * if your server cert is signed by the root, > >> you can turn off sending of the root to the cert by > >> SSL_CTX_set_mode(ctx,SL_MODE_NO_AUTO_CHAIN) > > > > I can't find this option (or similar) in the docs or header > files. Was this added in 0.9.7 or later? > > (Naturally SSL_MODE_NO_AUTO_CHAIN)
I guessed that :-) > This flag was added 2003-Feb-12 to 0.9.7 and HEAD > I got you right ? > You are still using 0.9.6 ? > I strongly recommend that you update OpenSSL to a newer version. > 3 year old software is almost like back to stone age... Indeed I have already recommended this too. However we will be using OpenSSL on OpenVMS 7.3-1 and HP's implementation for that platform is based on 0.9.6. > > On server and client: > > > >> * add the CA cert to the servers verify data > >> X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx),root) > > > > I use SSL_CTX_load_verify_locations(ctx, root, path). Does > this do the same thing? > > Yes. > Only with X509_STORE_add_cert() you load a cert, set it for verify > and add it to the SSL verify data. So you don't have to load it twice. > (And you are sure which cert you set and that you really set > only one cert...) I'm not sure I understand. Why would I have to load it twice if I don't use X509_STORE_add_cert() ? Cheers, Mark. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]