[openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields

Daurnimator quae at daurnimator.com
Sat Aug 18 02:52:18 UTC 2018


On 18 August 2018 at 03:18, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> On Fri, Aug 17, 2018 at 11:25:01PM +1000, Daurnimator wrote:
>
>> > When looking into https://github.com/wahern/luaossl/issues/140 I was
>> > surprised to learn that an SSL_CTX* (and SSL*) does not use many of
>> > the X509_STORE members.
>
> There are no plans to change the design.  You can set the verification
> store associated with the SSL_CTX via:
>
>         SSL_CTX_set0_verify_cert_store(3)
>     or
>         SSL_CTX_set1_verify_cert_store(3)
>
> do this early, before using the SSL_CTX to create SSL handles with
> SSL_new().  Configure the store properties as you see fit.


I understand the current design; but I'm left wondering why it has an
additional store member when VERIFY_PARAMS has the field there
already.
The design would seem to be much cleaner if all criteria for
verification are taken from a single object.


More information about the openssl-users mailing list