On Mon, 2010-05-10 at 14:43 -0400, Chris Bare wrote: > Is there a way get have X509_verify_cert retry it's path building after it > gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? > My idea is to implement a verify callback that uses the AIA information to > download the issuer cert and add it to the stack of untrusted certs. > Is this possible, or would I have to let X509_verify_cert error out and call > it again?
How about... int my_get_issuer_func(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { int ret = X509_STORE_CTX_get1_issuer(issuer, ctx, x); if (ret > 0) return ret; /* Do whatever you need to look up the issuer... */ } ... and somewhere else in your SSL_CTX setup: X509_STORE *store = SSL_CTX_get_cert_store(vpninfo->https_ctx); store->get_issuer = my_get_issuer_func; -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org