So let me get this straight. If someone had a software where they called X509_verify_cert from SSL_CTX_set_cert_verify_callback callback twice (to verify first with crls, and maybe verify again without crls) and it worked as expected, after this patch their software is broken. Am I right? And there is no solution to this after the patch for 1.0.[12] Am I right? On 2016.03.24. 16:17, Viktor Dukhovni wrote: > >> On Mar 24, 2016, at 4:21 AM, DEXTER <mydexterid at gmail.com> wrote: >> >> So this patch: >> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0 >> >> magically made itself into ubuntu trusty's version of openssl in a >> security update. >> >> My question is: >> >> What is the recommended way now to call X509_verify_cert twice or >> unlimited times from SSL_CTX_set_cert_verify_callback callback. >> (This is where the ctx is already initialized by openssl and not by the user) > > I'm afraid multiple calls are not supported. > I'll consider updating the 1.1.0 code to make that possible, > but that won't help you with 1.0.[12]... >
