Add support for certificate stores in CERT structure. This makes it

possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.

1 files changed, 6 insertions, 2 deletions

diff --git a/apps/s_client.c b/apps/s_client.c
index 97f7cbd922..783a49e083 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -559,6 +559,7 @@ int MAIN(int argc, char **argv)
 	{
 	unsigned int off=0, clr=0;
 	unsigned int cert_flags=0;
+	int build_chain = 0;
 	SSL *con=NULL;
 #ifndef OPENSSL_NO_KRB5
 	KSSL_CTX *kctx;
@@ -877,6 +878,8 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			CApath= *(++argv);
 			}
+		else if	(strcmp(*argv,"-build_chain") == 0)
+			build_chain = 1;
 		else if	(strcmp(*argv,"-CAfile") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -1212,8 +1215,6 @@ bad:
 #endif
 
 	SSL_CTX_set_verify(ctx,verify,verify_callback);
-	if (!set_cert_key_stuff(ctx,cert,key, NULL))
-		goto end;
 
 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
 		(!SSL_CTX_set_default_verify_paths(ctx)))
@@ -1223,6 +1224,9 @@ bad:
 		/* goto end; */
 		}
 
+	if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
+		goto end;
+
 #ifndef OPENSSL_NO_TLSEXT
 	if (curves != NULL)
 		if(!SSL_CTX_set1_curves_list(ctx,curves)) {