Rather than have a slew of certificates located in a single directory, I want to have certificates divided across several directories. Currently my server calls,开发者_开发技巧 SSL_CTX_load_verify_locations(), for which only a single CA_DIR can be passed. Looks like others have wanted to do similar (see http://www.mail-archive.com/openssl-users@openssl.org/msg55557.html for example), but I can't find any documentation on the appropriate solution.
So I stared looking at the source for SSL_CTX_load_verify_locations(), which is a wrapper for X509_STORE_load_locations(), which calls X509_STORE_add_lookup() and then X509_LOOKUP_add_dir() once. So can I simply write something similar to X509_STORE_load_locations() but call X509_LOOKUP_add_dir() multiple times (i.e. once for each directory)?
Please advise.
PS: Where can I find documentation on the X509... API provided by openSSL? On www.openssl.org, I can only find http://www.openssl.org/docs/crypto/x509.html# , but I cannot find any link to X509_LOOKUP_add_dir() or other functions/macros exposed in the openssl x509 headers.
As the current answer is missing a code sample (sslctx
is your SSL_CTX
instance):
X509_STORE *store = SSL_CTX_get_cert_store(sslctx);
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
X509_LOOKUP_add_dir(lookup, "/first/cert/dir", X509_FILETYPE_PEM);
X509_LOOKUP_add_dir(lookup, "/second/cert/dir", X509_FILETYPE_PEM);
X509_LOOKUP_add_dir(lookup, "/another/cert/dir", X509_FILETYPE_PEM);
[I came here when I searched for how to add multiple CA paths in libcurl]
I asked:
So can I simply write something similar to X509_STORE_load_locations() but call X509_LOOKUP_add_dir() multiple times (i.e. once for each directory)?
The answer is yes, what I coded up worked.
Still, if anyone could point me to some documentation on the X509... API in openssl, that would be much appreciated!
精彩评论