> On Sep 11, 2018, at 2:09 AM, Armen Babikyan <armen.babikyan@xxxxxxxxx> wrote: > > I have a question regarding openssl and verification of client certificates. Is there a way to have an openssl-enabled server ask for a client certificate, and when it receives one it can't verify, rather than immediately terminating the handshake, it would allow the connection, but pass some context about the failed verification to the calling application? Yes. > It appears that what I want is not possible from the SSL_VERIFY_* options presented here: Actually, SSL_VERIFY_PEER is the right choice, but you also need a non-null verification callback that continues (by returning 1) despite failures to verify the client certificate. You can check the verification status at the completion of the handshake via SSL_get_verify_result(3). -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
