On Sat, Feb 16, 2013, Jeremy Harris wrote: > On 02/09/2013 12:12 PM, Jeremy Harris wrote: > >I'm working on an implementation of the client side of OCSP stapling. > >To verify the stapled information I'm using the chain leading to the > >server certificate, as presented in the (repeated) verify callbacks for > >the server cert. > > Despite the resounding lack of response I've moved to building > a fresh store, though still using the verify callbacks. This is to > ensure that the exact CA chain used for the server cert is also > used for the stapling response verification. > > Any screams of "you're doing it wrong" before this gets baked > in to a certain MTA?
There should be a way to get the verified chain back from the SSL structure unfortunately you can't directly at present. There are a couple of ways to handle this. If you look through ssl_verify_cert_chain() you'll see you can pass a callback to handle the complete verification operation and if this callback isn't defined it calls X509_verify_cert() instead using similar arguments. So you could supply an application defined callback that just calls X509_verify_cert too which keeps the current behaviour. If that call is successful you can then note the chain for future use using X509_STORE_CTX_get1_chain(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org