SSL contexts, trusted CAs etc.

I'm programming an SSL client (HTTPS really) using the COMM package, and
I need to ensure that the server certificate is verified.

Here's a code fragment:

 (with-open-stream (http (comm:open-tcp-stream host port
                                 :ssl-ctx ssl-context
                                 :element-type '(unsigned-byte 8)))
  (print (comm:ssl-get-verify-result (comm:socket-stream-ssl http)))
  ...)

The printed result from ssl-get-verify-result is typically 19 or 20,
which I believe indicates that no trusted CA was found locally for the
certificate presented by the server. Hence it seems to me I need to add
some trusted certificates into the SSL context. What is the recommended
way to do this?

If I understand things correctly, using SSL without checking the
certificate is nearly useless, because it leaves you open to
man-in-the-middle attacks (?)

....

I posted the above question first yesterday, but it bounced. I've since
found that this seems to do the trick:

  (comm:ssl-ctx-load-verify-locations
                      ssl-context
                      (namestring (or (probe-file trusted-certificate-file)
                                      (error "No trusted certificate file ~S."
                                             trusted-certificate-file)))
                      nil)

Also, passing "/etc/ssl/certs" for the second argument to
SSL-CTX-LOAD-VERIFY-LOCATIONS works on many systems. I'd still like to
hear if this is according to "best practices" though.


And btw, is it safe (or intended even) to reuse SSL contexts for
multiple connections?

Thanks,
-- 
Frode V. Fjeld
Netfonds Bank ASA