I'm working on an implementation of the client side of OCSP stapling.
To verify the stapled information I'm using the chain leading to the
server certificate, as presented in the (repeated) verify callbacks for
the server cert.
As far as I can see I need to do this because the client is only configured
with knowledge of the rootCA cert, not the signing cert for the server cert
(and OCSP stapling), and the signing chain is included in the server cert
info for the connection but not in the OCSP stapling.
Is this the correct overall approach?
The coding I have is:
if (x509ctx->error_depth != 0)
if (!X509_STORE_add_cert(x509ctx->ctx, x509ctx->current_cert))
ERR_clear_error(); /* error expected for rootCA cert already in store */
Is this a legitimate thing to do?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
