On Mon Jul 11 14:04:22 2016, dw...@infradead.org wrote: > I was using store.get_issuer() in OpenConnect too, because I need to > manually build the trust chain to include it on the wire — because > even today the server might *still* suffer RT#1942 and fail to trust > our client cert unless we help it by providing the *right* chain.
Is this still true with OpenSSL 1.1? If so, please file a report. > I've worked around the lack of access to get_issuer() by doing a dummy > call to X509_verify_cert(), throwing away its result and then hoping > that we have something useful in store.chain (which we *can* still > access). That seems to work but I'm not stunningly happy with it; if > we > can have an accessor I'd much rather go back to doing it the old way. > > http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0 > (in workaround_openssl_certchain_bug() in the hunk around line 1306) https://github.com/openssl/openssl/pull/1294 currently provides a setter for get_issuer in X509_STORE. -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
