if (!ok) goto end;
}
if (X509_verify(xs,pkey) <= 0)
+ /* XXX For the final trusted self-signed cert,
+ * this is a waste of time. That check should
+ * optional so that e.g. 'openssl x509' can be
+ * used to detect invalid self-signatures, but
+ * we don't verify again and again in SSL
+ * handshakes and the like once the cert has
+ * been declared trusted. */
{
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert=xs;