Hello! When you connect to a webserver for which you do not have a trusted CA certificate, normally the browser allows you to permanently accept the certificate and continue.
How can this be done using OpenSSL? If I add this non-self-signed certificate to the list of trusted certificates (e.g. via CAfile), it is ignored and verification fails. I have never had any success if the certificate chain was incomplete. Example: I have the following certificates: root-ca.cert -> ca.cert -> server.cert The server uses server.cert as certificate. If CAfile contains root-ca.cert, everything works fine. However, if CAfile only contains server.cert verification fails. But this is exactly what most browsers allow: Just accept any certificate as long as the user has allowed to accept it. So how can this be done using OpenSSL? Is there any option I can set? Or is there only the brute force way of using the verify callback, reading all the certificates from CAfile and comparing them manually with the server certificate? Regards, Matthias Meixner ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
