2013/4/11 Dave Thompson <dthomp...@prinpay.com> > >From: owner-openssl-us...@openssl.org On Behalf Of Felipe Blauth > >Sent: Wednesday, 10 April, 2013 17:35 > > >[In a server] I can't use SSL_CTX_load_verify_locations anymore, > >because now I load stuff from a database. So I was happy > >adding the certificates I need to form my trusted path through > >SSL_CTX_add_extra_chain_cert and then... didn't work =(. > > >Digging a bit I found a post here in openssl-users that > >explains that I need to add the certificates via > >X509_STORE_add_cert [to SSL_CTX_get_cert_store()] > > _add_extra_chain_cert adds a cert to the chain this entity > uses to authenticate itself to the peer; in a server this > means it adds to the chain the server sends the client. > _use_certificate_chain_file effectively combines > _use_certificate plus _extra_chain from a file only. > > Ah... I made a confusion. Thanks for the clarifications. I didn't know I could put more certs to send to the peer. I thought all I could do was set up a single cert via SSL_CTX_use_certificate or SSL_CTX_use_certificate_file. Shame on me ^.^
> _load_verify provides or locates certs this entity uses > to verify the cert/chain *from* the peer; in a server > these are the certs the server uses to verify the client -- > if client-authentication is used, which often is isn't. > This is called the "trust store" because it is used to > determine whether which other parties you trust. > These are different functions, although they can become > confused because *if* your "own" chain is incomplete > *and* the cert(s) needed to complete are in the trustore, > OpenSSL automatically finds and adds them. Thus you can use > either way to provide your own chain, but only _load_verify, > or as you found _add_cert to the cert_store, to provide > the trust store. > > Which of these two things do you want? > I wanted to add certs to the "trust store" since I had already added my cert via SSL_CTX_use_certificate (and that's all I need). You made yourself very clear, no doubts left. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Felipe Menegola Blauth
