diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-07-23 23:34:28 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-07-23 23:34:28 +0000 |
commit | 74ecfab401fe65d23d9b297bf396efca3e419e47 (patch) | |
tree | 8973a35de9df0e74464f8b6dcef0703aa2636dee /apps/s_client.c | |
parent | 5818a07a4fdae6cff28c625f947b409f21b34c53 (diff) | |
download | openssl-74ecfab401fe65d23d9b297bf396efca3e419e47.tar.gz |
Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.
Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
Diffstat (limited to 'apps/s_client.c')
-rw-r--r-- | apps/s_client.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index 97f7cbd922..783a49e083 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -559,6 +559,7 @@ int MAIN(int argc, char **argv) { unsigned int off=0, clr=0; unsigned int cert_flags=0; + int build_chain = 0; SSL *con=NULL; #ifndef OPENSSL_NO_KRB5 KSSL_CTX *kctx; @@ -877,6 +878,8 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-build_chain") == 0) + build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; @@ -1212,8 +1215,6 @@ bad: #endif SSL_CTX_set_verify(ctx,verify,verify_callback); - if (!set_cert_key_stuff(ctx,cert,key, NULL)) - goto end; if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) @@ -1223,6 +1224,9 @@ bad: /* goto end; */ } + if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain)) + goto end; + #ifndef OPENSSL_NO_TLSEXT if (curves != NULL) if(!SSL_CTX_set1_curves_list(ctx,curves)) { |