Hi Viktor, Could you please elaborate on "...although doing the latter potentially gives you the opportunity to decorate them with auxiliary trust EKUs." Does it mean "EKUs" "out of" the certificate ? Is it just about using X509_STORE_set_trust() and the like as mentioned in X509_STORE_add_cert man page or something else ? Regards, Michel -----Message d'origine----- De : openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] De la part de Viktor Dukhovni Envoyé : lundi 30 mars 2020 23:19 À : openssl-users@xxxxxxxxxxx Objet : Re: Peer certificate verification in verify_callback [...] > I set up an X509_STORE object and then cycle through all of the > certificate files in /etc/ssl/certs/, open them, and call > PEM_read_X509() to get an X509 (certificate) object and then call > X509_STORE_add_cert(x509_stor, certificate) to read the certificates > into my trusted store, X509_store object. It would be far simpler to concatenate them into a single CAfile, or use "c_rehash" to create the symlinks need to make the directory into a workable CApath. You should not have to manually load them into your own store, although doing the latter potentially gives you the opportunity to decorate them with auxiliary trust EKUs. > If the user of this CTX is acting as a client and the server presents > a certificate chain, and my trusted store has the root, the connection > will work, as the chain is verified and trusted. [...] -- Viktor.
