Alon Bar-Lev wrote: > Why not use SSL_CTX_add_client_CA and add all CAPI root store into > OpenSSL context? My initial approach (v1) was that (albeit not with SSL_CTX_add_client_CA but with X509_STORE_add_cert). This was flawed, for the reasons I mentioned in v2 changelog (which btw, you have seen and commented on :-): - CRLs are not handled that way. - It is hard, if not impossible, to build proper chains from the imported CAs. e.g. you can have an intermediate CA in Windows Certificate Store that is *not* trusted by Windows because the root CA doesn't exist in the respective store. - It felt like a gross hack.
It seems that is much better to ask Windows to check whether the presented certificate is trusted or not than try to build the trust path yourself and import it to OpenSSL. Regards, Faidon
