On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote: > I don't think a state is really needed for this, if the callback > simply checks if the certificate is in the loaded trust collection, > and/or if it is self-signed (depending on the application's chosen > root CA trust model). Yes, though that too is complicated, e.g. DANE-TA(2) validation often produces chains where none of the certs are in the local store or self-signed. And checking the trust stores for an exact match takes some care... The stateful approach is in some ways more elementary. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
