On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote:
> I don't think a state is really needed for this, if the callback
> simply checks if the certificate is in the loaded trust collection,
> and/or if it is self-signed (depending on the application's chosen
> root CA trust model).
Yes, though that too is complicated, e.g. DANE-TA(2) validation
often produces chains where none of the certs are in the local
store or self-signed. And checking the trust stores for an
exact match takes some care...
The stateful approach is in some ways more elementary.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
