On Fri, Mar 09, 2012, Kevin Vargo via RT wrote: > ----- Original Message ----- > > From: Stephen Henson via RT <[email protected]> > > To: [email protected] > > Cc: [email protected] > > Sent: Saturday, March 3, 2012 8:31 AM > > Subject: [openssl.org #2751] [ENHANCEMENT] Request moving static > > get_issuer_sk before X509_verify_cert > > > >> [[email protected] - Sat Mar 03 13:23:18 2012]: > >> > >> > >> I'll submit another request related to why I want this done; but the > >> move itself should be OK, I think. [I would like to be able to > >> check the "trusted" store for any matching issuer when > > building the > >> client-verification chain. This is related to issues from Cross- > >> Certification.] > >> > > > > Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what > > you want. > > Yes, this is what I was looking at doing and very similar to how I was going > to do it. Is there API support for this? E.g., to set from mod_ssl? I > don't see anything, so I'm just reaching in through ctx->param to set it, > but if there's a better/more proper way, I'd prefer to do it that way. >
You can use X509_VERIFY_PARAM_set_flags() on an X509_VERIFY_PARAM structure and pass those to the SSL_CTX using SSL_CTX_set1_param(). > Also, is this targetted for 1.0.2, I guess? and, would it be possible to > back-port it to the 0.9.8 branch? I'd love to have, e,g,, RHEL5 pick it up > natively. > It is targeted for 1.0.2 but it will never appear in 1.0.0 or 0.9.8 as new features no longer appear in stable branches. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
