> From: owner-openssl-us...@openssl.org On Behalf Of Jerry Wang > Sent: Thursday, 28 May, 2009 16:28
> I have a question about using X509_verify_cert(X509_STORE_CTX) - > Where does the root certificate get populated in the struct X509_STORE_CTX, > is it suppose to be included? It certainly shouldn't be (only) in the untrusted 'chain' because then there's no way to determine that it should be trusted. It *looks* to me like you could put it (and possibly more) in (set)_trusted_stack, but I haven't tried that. The usual way is to have it in the local 'trust store', which can be a file (containing possibly multiple certs) and/or a directory of certs (files) with hash links, set by load_verify_locations in the SSL_CTX from which you create the SSL whose store is used. This allows it to be automatically/defaultly looked-up as needed. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
