On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote:

> I don't think a state is really needed for this, if the callback
> simply checks if the certificate is in the loaded trust collection,
> and/or if it is self-signed (depending on the application's chosen
> root CA trust model).

Yes, though that too is complicated, e.g. DANE-TA(2) validation
often produces chains where none of the certs are in the local
store or self-signed.  And checking the trust stores for an
exact match takes some care...

The stateful approach is in some ways more elementary.

-- 
        Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to