Random Coder wrote: > I'm not sure if the wget maintainers would be interested, but I've > been carrying this patch around in my private builds of wget for a > while. It allows wget to load SSL certs from the default Windows cert > store.
I've applied your patch. It seems to work fine. Nice! But in a message like: X509 certificate successfully verified and matches host www.ssllabs.com it would be nice to know if it succeeded because of WinCrypt or OpenSSL. > + /* Loop through all the certs in the Windows cert store */ > + for ( pCertCtx = Local_CertEnumCertificatesInStore(hStore, NULL); > + pCertCtx != NULL; > + pCertCtx = Local_CertEnumCertificatesInStore(hStore, pCertCtx) ) > + { > + if (!((pCertCtx->dwCertEncodingType & PKCS_7_ASN_ENCODING) == > PKCS_7_ASN_ENCODING)) > + { > + /* Add all certs we find to OpenSSL's store */ How does this prevent an expired Cert to be used? I see in the 'CERT_INFO' structure a 'NotAfter' member. But this struct seems to support for WINAPI_PARTITION_APP only :-( I assume this could be used to check expired certificates. -- --gv