On Thu, Oct 02, 2003 at 10:05:55AM +0900, jiang lei wrote:
> Windows HTTP client using openssl0.9.7b, a single server cert signed by
> VeriSign.
>
> the path is:
>
> [VeriSign Class 3 Public Primary CA ] -----> [www.verisign.com/CPS Incorp.by
> Ref. LTD.(c)97 VeriSign] -----> [my own cert]
>
>
> After loading 2 parent certs with SSL_CTX_load_verify_locations(), the
> verify callback does not complain anymore. However, that's not enough for
> me. I also have to provide a mechanism to examin the whole cert chain, check
> for problems and save them onto disk for later use, just like IE does. But
> when I used the following code to get peer cert chain, the stack length was
> always 1:
>
> STACK_OF(X509) *pPeerChain = SSL_get_peer_cert_chain(ssl);
> int stacklen = sk_X509_num(pPeerChain);
>
> Is SSL_get_peer_cert_chain() the right function? Or is there another way to
> do that kind of job?
SSL_get_peer_cert_chain() will return the chain as sent by the peer.
Certificates that were only added locally for verification purposes (e.g.
root CA certificates) and that were not actually sent by the peer are
therefore not part of the list.
A function returning the assembled chain does not exist.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
