On Mon, Feb 22, 2010, Eisenacher, Patrick wrote: > > Unfortunately, the perceived verification algorithm is a limitation in > openssl, which always wants to do path validation up to a self signed cert, > even if no revocation checking is requested. And no, there's no way to > modify its verification algorithm besides from changing the code. >
While it does technically need a modification of the verification algorithm it is possible to customise its behaviour using the verify callback. If a chain contains no trusted certificates you get the error: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY if it contains at least one trusted certificate you instead get: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT if you ignore the latter error that should work. [I've just noticed the documentation says the opposite of the above, arghhhh!] Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org