Hello,
When an _intermediate_ SSL server certificate fails validation, we
should report errors using information in that certificate and not in
the top-level "peer" certificate. Otherwise, our details may make no
sense. For example, we could say that the validation failed due to the
expired certificate and show an expiration date in the future (because
the top-level certificate did not expire but the intermediate
certificate did).
OpenSSL X509_STORE_CTX_get_current_cert() returns the certificate that
was being tested when our certificate validation callback was called.
Thank you,
Alex.
This archive was generated by hypermail 2.2.0 : Wed Nov 16 2011 - 12:00:08 MST