Re: Question about examples in openssl doc X509_STORE_CTX_verify_cb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 14, 2022 at 11:25:51AM -0700, Edward Tsang via openssl-users wrote:

> https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
> 
> I am trying to figure out how this example works but it does not seem to
> bypass the (use the second example of  X509_V_ERR_CERT_HAS_EXPIRED)
> 
> However the caller code 
> long res = SSL_get_verify_result( sslCtx ); still reports res NOT as
> X509_V_OK, which it should be oper the example since it is returning as 1.

This is correct and expected.  Returning "ok = 1" from the verify
callback allows the handshake to continue, rather than be aborted,
but it does not and should not mark the certificate as verified.

> I don't think I need to use X509_STORE_CTX_set_error(ctx, X509_V_OK);
> before return 1 in the X509_STORE_CTX_verify_cb example.
> Or am I missing something?

You're missing something.  It is best to not suppress the error code,
since this will also mean that resumed sessions are unaware of the
error, ... Rather if you want to tolerate expired certificates record
and admit that error both in the callback and after the handshake.

-- 
    Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux