On Thu, Feb 10, 2011 at 05:03:05PM +0100, Mounir IDRASSI wrote:
> I think you misunderstood Matthias's question? He is not asking about how
> to make his own CA accepted (from his post, it appears he already knows how
> to do that), but he is rather asking how to make an end entity server
> certificate a trusted anchor for OpenSSL certificate chain verification.
> As he explained, this is especially interesting if you connect to a server
> for whom you don't the corresponding CA certificate: in this case, a trust
> model like the SSH one is desirable.
>
> Personally I don't think it is possible currently without a change to
> OpenSSL internals or the use of the verify callback. That being said, I
> remember vaguely a post by Dr Stephen Henson related to this where he
> mentioned a planned change in this direction, but I can't find a link to
> it.
A custom verication callback should be sufficient, provided the
self-issued cert is not marked with "CA:false".
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
