enforcing ssl trust chain

[Emile Joubert]

Hi,

I read in the latest ssl documentation and SSL 3.10.3 release notes that
an unknown CA is not considered a validation error. What is the
motivation for this default?

In a production environment I want to prevent clients without
certificates signed by a known CA from connecting. Is there any way of
getting this behaviour by using configuration files? The only way I can
find is to set verify_fun to an appropriate function, but this is
unappealing because I want to change my mind without needing to recompile.


Thanks

Emile