[openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields

Daurnimator quae at daurnimator.com
Thu Jul 12 08:49:28 UTC 2018

When looking into https://github.com/wahern/luaossl/issues/140 I was
surprised to learn that an SSL_CTX* (and SSL*) does not use many of
the X509_STORE members.

e.g. a store has a X509_VERIFY_PARAMS field, however although an
SSL_CTX* has a related store, it ignores the store's params and uses
it's own.

For a connection pooling implementation, I need to check that an
existing SSL connection is something that could be approved by a given
I was hoping this would be as simple as doing (error handling omitted
for brevity):

    X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
SSL_get_certificate(ssl), NULL);

However it appears that I really need to do:

    X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
SSL_get_certificate(ssl), NULL);
    // X509_STORE_CTX_set_verify_cb based on SSL_CTX_get_verify_callback(ctx)
    // X509_STORE_CTX_set0_dane
    // etc. etc.

Is this complexity warranted?
Is there any plan to remove the redundant fields?


More information about the openssl-users mailing list