I am also interested in the ability to allow non-root certs, but my company is not planning on distributing OpenSSL. Therefore a custom verification callback would not be an option; we would need a compile option to allow this feature. We work in an embedded environment (firmware), and need to be able to specify X509 certs that are not self-signed as trusted. Any idea if this feature will make it into an OpenSSL release?
Regards, Marty -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Victor Duchovni Sent: Friday, February 11, 2011 5:31 AM To: openssl-users@openssl.org Subject: Re: Adding non-root certificates to the list of trusted certificates? On Thu, Feb 10, 2011 at 05:03:05PM +0100, Mounir IDRASSI wrote: > I think you misunderstood Matthias's question? He is not asking about > how to make his own CA accepted (from his post, it appears he already > knows how to do that), but he is rather asking how to make an end > entity server certificate a trusted anchor for OpenSSL certificate chain > verification. > As he explained, this is especially interesting if you connect to a > server for whom you don't the corresponding CA certificate: in this > case, a trust model like the SSH one is desirable. > > Personally I don't think it is possible currently without a change to > OpenSSL internals or the use of the verify callback. That being said, > I remember vaguely a post by Dr Stephen Henson related to this where > he mentioned a planned change in this direction, but I can't find a > link to it. A custom verication callback should be sufficient, provided the self-issued cert is not marked with "CA:false". -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
