Thanks for your response. I did not know this functionality was in OpenSSL, so 
this may make my work much easier. I have two further questions:

1. Is there any documentation anywhere on this engine? All I've found is a few 
previous postings on this mailing list and a few others on how to configure the 
openssl utility to use it but not 3rd party applications.

2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), 
the ENGINE_load_capi function does not exist in either libeay32.lib or 
ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and 
use it through that interface.

Graeme

From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On 
Behalf Of Jan Just Keijser
Sent: Monday, October 07, 2013 10:38 AM
To: openssl-dev@openssl.org
Subject: Re: Using Windows certificate store through OpenSSL

Perrow, Graeme wrote:
I'd like to add the ability for my (client) application to use the Windows 
certificate store to verify a server's certificate during an SSL handshake. 
I've created a callback and set it using SSL_CTX_set_verify( ctx, 
SSL_VERIFY_PEER, mycallback ). Inside that callback, I can retrieve information 
about the server's certificate and can also enumerate through the certificates 
in the certificate store.

But then what? Is there a way to tell OpenSSL "Please verify the server's 
certificate using this trusted certificate"? In the case when the client 
supplies the trusted certificate in advance, I can pass it to 
X509_STORE_add_cert before the handshake but can I do that *during* the 
handshake? Can I simply get the PEM / DER information for both certificates and 
memcpy them?

wasn't support for this added via the crypto engine 'capieng' ? Rebuild openssl 
using
  ./config enable-capieng

and use the CAPI engine.

HTH,

JJK

Reply via email to