On 18 August 2018 at 03:18, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > On Fri, Aug 17, 2018 at 11:25:01PM +1000, Daurnimator wrote: > >> > When looking into https://github.com/wahern/luaossl/issues/140 I was >> > surprised to learn that an SSL_CTX* (and SSL*) does not use many of >> > the X509_STORE members. > > There are no plans to change the design. You can set the verification > store associated with the SSL_CTX via: > > SSL_CTX_set0_verify_cert_store(3) > or > SSL_CTX_set1_verify_cert_store(3) > > do this early, before using the SSL_CTX to create SSL handles with > SSL_new(). Configure the store properties as you see fit. I understand the current design; but I'm left wondering why it has an additional store member when VERIFY_PARAMS has the field there already. The design would seem to be much cleaner if all criteria for verification are taken from a single object. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users