On Mon, Nov 22, 2004, dragos liciu wrote: > Hi, > > I would like to hear somebody's opinion about the > issue below (couldn't figure it out from code) > > The question is related to the fourth parameter of > X509_STORE_CTX_init function (I've implemented an SSL > client): > > int X509_STORE_CTX_init(X509_STORE_CTX *ctx, > X509_STORE *store, > X509 *x509, > STACK_OF(X509) *chain > ); > > The forth parameter should contain the whole > certificate chain received from an SSL server > including server certificate (I pass this one as the > third parameter anyway), or server's certificate must > be removed from chain before passing it to > X509_STORE_CTX_init function ? > > The only way I could make certificate verification > work was to remove server's certificate from chain > (though I've seen some code snippets suggesting the > contrary) >
The fourth parameter is a collection of any certificates that might help the verify process. It will normally be searched for untrusted CAs. It can contain other certificates in the expected path, unrelated certificates or none at all. There are several places in OpenSSL (including the S/MIME code) where the whole pacth and unrelated certificates are passed in that parameter. What error do you get during verify? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
