On Tue, Feb 19, 2013, Jeremy Harris wrote: > On 18/02/2013 22:32, Dr. Stephen Henson wrote: > >>That's fine except that we're using SSL_CTX_set_verify() callback already > >>and the docs say it and SSL_CTX_set_cert_verify_callback() should not > >>be mixed. > >> > > > >That explanation could be clearer. In this case it's fine to mix the two. > > OK, thankyou. Now, about the need for a store for the OCSP verify?
You can disable verification altogether with the OCSP_NOVERIFY flag to OCSP_basic_verify, it should then never reference the passed store and it can be NULL. That's fine if the OCSP response has been signed by a CA in the server certificate chain as that chain has already been verified. If you have a delegated signing certificate, or one from a different chain that is trusted implicitly then you still need to verify the chain. This is a bit messy but one way I can think of to handle this is something like this: Retrieve the server certificate chain (i.e. the unverified one received by client) using SSL_get_peer_cert_chain. Add each certificate in the peer chain to the OCSP_BASICRESP structure using OCSP_basic_add1_cert(). Pass the same X509_STORE you used to verify the server chain to OCSP_basic_resp(). What that should then do is attempt to verify the responder certificate using all the certificates sent by the server and in the OCSP response as untrusted CAs. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
