>From: owner-openssl-us...@openssl.org On Behalf Of Felipe Blauth
>Sent: Wednesday, 10 April, 2013 17:35
>[In a server] I can't use SSL_CTX_load_verify_locations anymore,
>because now I load stuff from a database. So I was happy
>adding the certificates I need to form my trusted path through
>SSL_CTX_add_extra_chain_cert and then... didn't work =(.
>Digging a bit I found a post here in openssl-users that
>explains that I need to add the certificates via
>X509_STORE_add_cert [to SSL_CTX_get_cert_store()]
_add_extra_chain_cert adds a cert to the chain this entity
uses to authenticate itself to the peer; in a server this
means it adds to the chain the server sends the client.
_use_certificate_chain_file effectively combines
_use_certificate plus _extra_chain from a file only.
_load_verify provides or locates certs this entity uses
to verify the cert/chain *from* the peer; in a server
these are the certs the server uses to verify the client --
if client-authentication is used, which often is isn't.
This is called the "trust store" because it is used to
determine whether which other parties you trust.
These are different functions, although they can become
confused because *if* your "own" chain is incomplete
*and* the cert(s) needed to complete are in the trustore,
OpenSSL automatically finds and adds them. Thus you can use
either way to provide your own chain, but only _load_verify,
or as you found _add_cert to the cert_store, to provide
the trust store.
Which of these two things do you want?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
