If you really need to use your own certificates, allocate and populate your own ::X509_STORE instance and pass it to ::SSL_CTX_set_cert_store() instead of calling ::SSL_CTX_load_verify_locations(). (SSL_CTX_load_verify_locations() internally uses the same X509_STORE structure.) However, there is no public documentation of X509_STORE as of yet (see SSL_CTX_set_cert_store(3)) so you may have to dig into the OpenSSL source code in order to figure out exactly how you fill the structure out. This is getting off-topic for this list; you may want to direct further questions to openssl-users@openssl.org. And in order to make this email on-topic (well, kind of), I'm going to re-iterate: Use boost::asio::ssl::context::impl() to obtain the underlying SSL_CTX pointer, with which you can use virtually all SSL_CTX_* functions from OpenSSL. :-) Eugene j.c. wrote:
(Certificate files might be encrypted as well from the technical point of view, it however does not make sense as the data in the certificate is considered public anyway.) On Mar 6, 2008, at 2:19 PM, j.c. wrote:
What is the security risk in the ca.pem to be placed on end-users machines?
Thanks, j.c.