[openssl-dev] [openssl.org #4620] OCSP_basic_verify() question/comment
Page, Greg via RT
rt at openssl.org
Thu Jul 21 07:14:37 UTC 2016
Hello!
I have been using openssl to get OCSP status for a certificate and I ran across an interesting case.
OCSP responses do not seem to include the intermediate certificates so they have to be acquired in other ways. I have been doing this and adding them to the certificate stack handed to OCSP_basic_verify().
However, I have noticed that these certificates are not used in creating a certificate chain back to a root CA because they are not added to the X509_STORE_CTX that is sent to X509_verify_cert() and X509_STORE_CTX_get1_chain().
I am relatively new to this so I may be incorrect; however, it seems to me that the certificates in the cert argument should be added to the X509_STORE_CTX.
What are your thoughts?
Thanks,
Greg
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4620
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list