When looking into https://github.com/wahern/luaossl/issues/140 I was surprised to learn that an SSL_CTX* (and SSL*) does not use many of the X509_STORE members. e.g. a store has a X509_VERIFY_PARAMS field, however although an SSL_CTX* has a related store, it ignores the store's params and uses it's own. For a connection pooling implementation, I need to check that an existing SSL connection is something that could be approved by a given SSL_CTX*. I was hoping this would be as simple as doing (error handling omitted for brevity): X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx), SSL_get_certificate(ssl), NULL); X509_verify_cert(vfy_ctx); However it appears that I really need to do: X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx), SSL_get_certificate(ssl), NULL); X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(vfy_ctx), SSL_CTX_get0_param(ctx)); // X509_STORE_CTX_set_verify_cb based on SSL_CTX_get_verify_callback(ctx) // X509_STORE_CTX_set0_dane // etc. etc. X509_verify_cert(vfy_ctx); Is this complexity warranted? Is there any plan to remove the redundant fields? Daurn. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
