Hi Michel,
many thanks for this very quick reply !
On 06.06.2011 14:20, Michel (PAYBOX) wrote:
Hi Albrecht,
I might be wrong, but I think you should use instead
SSL_CTX_get_cert_store() and then *X509_STORE_add_cert*
to add the certificate to the list of trusted ones that will be used
for verification.
Yep, this seems to do the trick.
Cerificates added using SSL_CTX_add_extra_chain_cert() are not
trusted.
<http://www.openssl.org/docs/ssl/SSL_CTX_add_extra_chain_cert.html#>
Okay, thanks, this explains the verification error.
I'm still wondering though how I could have found that out myself. :-(
Unfortunately <http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_store.html>
reads: "Currently no detailed documentation on how to use the X509_STORE
object is available." Is there some more documentation available
elsewhere, or am I supposed to read the sources?
FWIW, here is the new part of the working code, stripped down w/o error
handling:
X509 *Cert = d2i_X509(NULL, &p_buf, sizeof(ca_cert_asn1));
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(store, Cert);
--
Regards
Albrecht
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
