On 10/11/10 22:30, Victor Duchovni wrote: > On Wed, Nov 10, 2010 at 10:10:48PM +0000, Dimitrios Siganos wrote: > You can turn the can't find local issuer error for B, into an > OK in the verification callback by specifically whitelisting > the the fingerprint of B, or finding B in a suitable store.
So the solution is: 1) Maintain a list of trusted fingerprints (trusted intermediate CAs). 2) On UNABLE_TO_GET_ISSUER_CERT_LOCALLY (in verify callback), return 1, if the cert's fingerprint is listed in in my trusted fingerprints list. Does that mean that the verification can continue as normal and all the usual tests, not yet performed, will be performed as usual? >> We want to be able to connect a client, which trusts 'B', to a server >> that only has 'C'. 'A' should not enter the picture at all. >> >> What is the correct way to achieve this with openssl? > > If you are coding the SSL client, you can customize the verification > callbacks. The default verification callbacks check for a trusted > self-signed root. This may be easier if the server presents "B+C", > not just "C" as its cert chain. Yes, I am coding the SSL client only. My client must work in all possible scenarios. I have no control over the server(s) and don't know how they will present their certificates. Are you saying that the solution above is inadequate? Thank you very much for your quick reply. Dimitrios Siganos ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
