On Thu, Jul 24, 2008 at 04:06:45PM +0000, [EMAIL PROTECTED] wrote:
> On 24/7/2008, "Victor Duchovni" <[EMAIL PROTECTED]>
> wrote:
> >Sample call sequence:
> >
> > if (SSL_CTX_use_certificate_chain_file(...) <= 0) {
> > /* error */
> > }
> > if (SSL_CTX_use_PrivateKey_file(...) <= 0) {
> > /* error */
> > }
> > if (!SSL_CTX_check_private_key(...)) {
> > /* error */
> > }
> >
>
> I'm almost doing that. Would calling SSL_CTX_use_certificate_file
> instead of SSL_CTX_use_certificate_chain_file make any difference to the
> effectiveness of SSL_CTX_check_private_key?
>
No. It just means that the application has to do more work to load the
trust chain, when its cert is not signed directly by a root CA. The
private key can be verified as soon as the public cert and private
are loaded. You can also load the private key first, and then the cert.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
