On Thu, Aug 29, 2002 at 09:10:47AM -0400, Shaheed Bacchus wrote:
> you are correct, "issuer" is not self signed (in fact it's
> the cert that's provided by default with openssl in the
> apps/demoCA dir). so how do i tell the verification
> routine to not walk further down the tree? ideally i'd
> like to give it a cert that may or may not be self signed
> and have it consider that cert to be trusted, therefore
> when doing the verification if it finds that the client cert
> chain has been signed at some point by this cert it
> considers the client cert to be valid. does this make
> sense?
OpenSSL does not support "trusted" certificates that are not self signed
root CA certificates. It will always walk down the chain.
What could be done is to catch the mentioned error condition in the
callback and declare the certificate to be correct, there.
It would take some extensions to the certificate verification code
to change the behaviour. I don't know how large the interest is
in such an extension.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
