Re: [Openvpn-devel] [PATCH v2] Use CryptoAPI to verify certificates
Hi, Thank you for your comments. Alon Bar-Lev wrote: > On 1/3/07, Faidon Liambotiswrote: >> Ok, here's another try, even though I didn't get any comments on the >> first one :-) >> >> This is a totally different approach; the previous one was flawed in at >> least two aspects: > > This is better. > But you should use CertVerifyCertificateChainPolicy in order to verify > chain, you should have two policies, one for server and one for > client... I've thought about it but didn't implement it because the only policy I could think of was the nsCertType checking which is already being done by OpenSSL if the user requested it. > I think you can remove the global variable you added to ssl.c and put > it in the session. True, I will fix this. Regards, Faidon
Re: [Openvpn-devel] [PATCH v2] Use CryptoAPI to verify certificates
On 1/3/07, Faidon Liambotiswrote: Ok, here's another try, even though I didn't get any comments on the first one :-) This is a totally different approach; the previous one was flawed in at least two aspects: This is better. But you should use CertVerifyCertificateChainPolicy in order to verify chain, you should have two policies, one for server and one for client... I think you can remove the global variable you added to ssl.c and put it in the session. Another thing... I think the MinGW specific code should be dropped, I know it was in the previous source... But there should be no problem in creating one code which runs on both. Best Regards, Alon Bar-Lev.