I'd really like to see this feature in a future build. Is there anything more that needs to be done to integrate this into 2.1? I can help with code cleanup/refactoring. I don't have a development environment set up, though, so I'd be working blind.
Cheers, Jason On 9/23/07, Faidon Liambotis Wrote: Alon Bar-Lev wrote: > On 9/22/07, Faidon Liambotis <paravoid@xxxxxxxxxx> wrote: >> Alon Bar-Lev wrote: >>> So you need to use CertVerifyCertificateChainPolicy() with CERT_CHAIN_POLICY_SSL >> I'm no Microsoft developer (adn I don't want to be to be honest) but if >> I understand it right, it's better to call CertGetCertificateChain() as >> I am doing. > > You need to use both, one for create the chain and the other to verify > that it meets with system CTL for SSL. Seems that you are right. Below you will find -v4 of the patch that does that. Also, my previous version didn't actually check for revocations, contrary to what I documented. I added CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT to the dwFlags of CertGetCertificateChain. Let me know what you think. Thanks, Faidon
