Hi Matt, On 31-10-17 16:36, Matt Caswell wrote: > Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final > "flags" argument? This basically finds the signer certificate and > verifies the signature using OCSP_BASICRESP_verify(), but skips all the > chain validation bit. Just wanted to point out that that is, actually, a confusing name for that flag.
"NOVERIFY" seems to imply that there is no verification being done, at all. Intuitively one senses that's not right, and that at least some verification will be done (in casu the signature will still be checked); but figuring out which part of the verification is being dropped and which part isn't requires one to read either the library source or the documentation, both of which are annoying if they can be avoided and do not help for the readability of code that uses the flag in question. Might I suggest that this flag be renamed somehow, to something that makes it more clear what exactly it does? -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
