> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Paul Lucas > Sent: Tuesday, October 20, 2015 19:08 > > I'm writing my own callback function in C for SSL_CTX_set_verify() to perform > additional certificate checks (when the preverify_ok parameter is 1). > However, I want to perform the checks only for the leaf certificate (depth = > 0). > > There is the function X509_STORE_CTX_get_error_depth() that gets the > depth of the error; but I want the current depth even when there is no error > so I can perform my additional checks only when depth=0. (Note that the > function SSL_CTX_get_verify_depth() returns the depth limit and not the > current depth.) > > Is there any way to do what I want? I thought get_error_depth returned the current depth even when there is no "error". The preverifyOk parameter tells the callback whether OpenSSL thinks there's a problem; the callback is invoked regardless, for each certificate in the chain, and get_error_depth should tell you what the depth is on each call, even if preverifyOk is true (nonzero). A quick browse through x509_vfy.c (for 1.0.1p) suggests that ctx->error_depth, which is what get_error_depth returns, is always set before calling the callback. -- Michael Wojcik Technology Specialist, Micro Focus
