Open
Description
At the moment certificate verification takes into account trusted certificates added via SSL_CTX_load_verify_file (and similar). However, it does not look at anything added by directly manipulating the X509_STORE returned from SSL_CTX_get_cert_store.
At minimum, we could extract certs and CRLs from that object each time and feed that to our verifier, at maximum we could entirely use the verifier in libcrypto (at the cost of more memory-unsafe code in the TCB).