Re: SSL_set_verify with a context?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You can use X509_STORE_CTX_get_app_data() and type-cast the returned pointer to SSL*.

 

 



Ryan Pfeifle
Software Engineer
 

VPI is now part of NICE

Tel: 1.805.389.5200 x5297


E-mail: Ryan.Pfeifle@xxxxxxxx

 

 

The information transmitted in this message is intended only for the addressee and may contain confidential and/or privileged material. If you received this in error, please contact the sender and delete this material from any computer.

From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Lei Kong
Sent: Thursday, October 27, 2016 11:54 AM
To: openssl-users@xxxxxxxxxxx
Subject: Re: SSL_set_verify with a context?

 

I am using the following link ssl to my container structure, so is it possible to  get ssl from x509_ctx in verify_callback?

    SSL_set_app_data(ssl, this);

 

    int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);

 


From: Lei Kong <leikong@xxxxxxx>
Sent: Thursday, October 27, 2016 1:24:05 AM
To: openssl-users@xxxxxxxxxxx
Subject: SSL_set_verify with a context?

 

What I am trying to achieve is to allow some minor certificate chain validation errors, e.g. "CRL unavailable", based on my per-session configuration. I am think of using my verify callback to record the errors.

 

void SSL_set_verify(SSL *s, int mode, int (*verify_callback)(int, X509_STORE_CTX *));

int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);

 

Given the above interfaces, it seems I cannot set the callback with a context, which is needed to link a callback instance to my SSL session for error tracking. Yes, I can use SSL_get_verify_result to get the error afterwards, but is it guaranteed that the most severe error is always returned by SSL_get_verify_result? For example, I don't want "unable to get CRL" to mask other more important errors.

 

I would rather avoid repeating validating the whole chain manually after default validation is completed, is it possible to achieve my goal without repeating chain validation manually?

 

Any comment will be appreciated.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux