On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Tue, Nov 28, 2017 at 10:03:12AM +0000, wizard2010@xxxxxxxxx wrote:
> I guess my problem is really related to verify callback
> on SSL_CTX_set_verify function.
> I just add to my code a dummy callback returning 1 and everything works
> properly.
>
>
> > int verify_callback (int ok, X509_STORE_CTX *ctx);
> > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > {
> > printf("Verification callback OK!\n");
> > return 1;
> > }
> > ...
> > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | The above completely disables authentication of the peer certificate,
> > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
and makes your application vulnerable to man-in-the-middle attacks.
Perhaps that's OK, but often it is not.
Why did you say that code disable the authentication?
One thing that I didn't understand is what type of verification is made on SSL_CTX_set_verify function.
And what is supposed/right thing to do on verify_callback in order to perform the client certificate authentication?
Kind regards.
> The problem is that error don't tell much information about what's really
> going on or what's really missing.
When the verification callback is failing, the peer's certificate
chain is either incomplete or is using a trust-anchor (root CA)
that is not configured as trusted on your end.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
