Citation from "Dr. Stephen Henson" <[EMAIL PROTECTED]>: > On Mon, Nov 28, 2005, Stefan Vatev wrote: > > > > > Hi guys, > > I had to look in-depth the ocsp stuff of openssl and > some > > questions arise. Well, in ocsp.c I don't get why after > > trying OCSP_basic_verify(bs, verify_other, store, > > verify_flags) and the result is negative openssl ties > to > > verify the signer's certificate again, but without the > > stack of certs (which to be verified) and all flags set > to > > zero. I really don't understand this piece of code :( > > > > I have to admit that I wasn't sure why that was there > either :-) > > Checking through CVS it looks like it is some legacy code > from the initial > support for -VAfile which is now handled differently and > that isn't needed any > more. > > Steve.
Another question that arises is that when -VAfile option is supplied I think it's a good idea to set the OCSP_NOINTERN flag for resoponse verification. My point is that if the cert supplied by the -VAfile option is not able to verify the response, then the ocsp cert from the response is used for verification and I don't think that's expected in most cases. Anyway, I don't think it's a good idea to look at the certs chain in the response either. Stefan. ----------------------------- Всички говорят безплатно. Каквото изговориш до 6-ти януари, се презарежда по твоята vivatel сметка на 7-ми януари. http://www.vivatel.bg/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
