On 02/16/2013 10:51 PM, Dr. Stephen Henson wrote:
So you could supply an application defined callback that just calls X509_verify_cert too which keeps the current behaviour. If that call is successful you can then note the chain for future use using X509_STORE_CTX_get1_chain().
That's fine except that we're using SSL_CTX_set_verify() callback already and the docs say it and SSL_CTX_set_cert_verify_callback() should not be mixed. Also, OCSP_basic_verify wants a store to verify using, it seems (by experiment[1], given the lack of documentation). So if I note the chain from using X509_STORE_CTX_get1_chain() I'd have to unpack it merely to build a store, which has little advantage... [1] call it with a null store and it crashes. Call it with the connection store from SSL_CTX_get_cert_store(), and the chain as above for "certs", and it fails with "unable to get local issuer certificate". Call with null "certs" and a store built from the certs of the SSL_CTX_set_verify() callbacks, it works. -- Cheers, Jeremy ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org