On 02/16/2013 10:51 PM, Dr. Stephen Henson wrote:
So you could supply an application defined callback that just calls
X509_verify_cert too which keeps the current behaviour. If that call is
successful you can then note the chain for future use using
X509_STORE_CTX_get1_chain().
That's fine except that we're using SSL_CTX_set_verify() callback already
and the docs say it and SSL_CTX_set_cert_verify_callback() should not
be mixed.
Also, OCSP_basic_verify wants a store to verify using, it seems (by
experiment[1], given the lack of documentation). So if I note the chain
from using X509_STORE_CTX_get1_chain() I'd have to unpack it
merely to build a store, which has little advantage...
[1] call it with a null store and it crashes. Call it with the connection store
from SSL_CTX_get_cert_store(), and the chain as above for "certs", and it fails
with "unable to get local issuer certificate".
Call with null "certs" and a store built from the certs of the
SSL_CTX_set_verify()
callbacks, it works.
--
Cheers,
Jeremy
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
