Hey folks. I have an OpenSSL TCP server that is under modifications, so I need to change my code. The SSL setup is simple, and I'll spare you from that.
The point is that I can't use SSL_CTX_load_verify_locations anymore, because now I load stuff from a database. So I was happy adding the certificates I need to form my trusted path through SSL_CTX_add_extra_chain_cert and then... didn't work =(. Digging a bit I found a post here in openssl-users that explains that I need to add the certificates via X509_STORE_add_cert, something like: X509_STORE *store = SSL_CTX_get_cert_store(my_context); // same as my_context->cert_store no need to free... X509_STORE_add_cert(store, cert1); X509_STORE_add_cert(store, cert2); .... and so on..... This works. I tried to dig a little the code of SSL_CTX_load_verify_locations to understand why it doesn't work, but it uses ctrls via function pointers that was a bit hard to find (I confess I didn't try too much, time is short here...). So my question is: Why does a function like SSL_CTX_add_extra_chain_cert exists if it doesn't work. And, if it does work, what should I do before to use it properly? Cya. -- Felipe Menegola Blauth
