On 3/25/16, 17:17 , "openssl-users on behalf of Viktor Dukhovni" <openssl-users-bounces at openssl.org on behalf of openssl-users at dukhovni.org> wrote: >>If I ask ?is your passport valid?, I expect to be able to repeat this >> question and (as long as this all is within a reasonably short time) get >> exactly the same answer. > >The result of X509_verify_cert() is not just a single error value... >... >Whatever is motivating the desire to call X509_verify_cert() twice >is likely some deficiency (whether actual or perceived) in the >current functionality, and we should probably address the underlying >problem and the not the superficial symptoms. I cannot comment or criticize here, because I?m not at that point (yet?). I?m not using this functionality now, and when I do I?ll probably account for this bit of wisdom (using the correct call sequence). >If you're doing this in the context of SSL, the SSL layer configures >the X509_STORE_CTX with various parameters beyond just >X509_STORE_CTX_init(), and using your own fresh context will not >work well. Most likely, when I do need to use this it wouldn?t be in the context of SSL. But I will remember this (not to use my own fresh context when using SSL) too. ;) Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160328/cd5326ac/attachment.bin>
