On Thu, Aug 29, 2002, Lutz Jaenicke wrote: > On Thu, Aug 29, 2002 at 09:10:47AM -0400, Shaheed Bacchus wrote: > > you are correct, "issuer" is not self signed (in fact it's > > the cert that's provided by default with openssl in the > > apps/demoCA dir). so how do i tell the verification > > routine to not walk further down the tree? ideally i'd > > like to give it a cert that may or may not be self signed > > and have it consider that cert to be trusted, therefore > > when doing the verification if it finds that the client cert > > chain has been signed at some point by this cert it > > considers the client cert to be valid. does this make > > sense? > > OpenSSL does not support "trusted" certificates that are not self signed > root CA certificates. It will always walk down the chain. > What could be done is to catch the mentioned error condition in the > callback and declare the certificate to be correct, there. > > It would take some extensions to the certificate verification code > to change the behaviour. I don't know how large the interest is > in such an extension. >
That's on my list of things to do. However so are a ridiculously large number of other things :-( There are however quite a few complications in adding this kind of stuff. I did look at it a while ago and IIRC it would require a fairly fundamental change in how the verify code works, and possibly the X509_LOOKUP replacement too. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
