Hi Pierre, Just want to revisit this topic again :) First, let me clarify that the issue added in ticket #1032 is about giving a chance for application to "override" negative result in certificate verification, not really the main idea you've suggested, which was about exporting/escalating OpenSSL verification callback in its 'native' way (including leaking some OpenSSL data), did I get it wrong? A reason behind 'ignoring' your main idea was that the use-case samples you've given can be handled by the existing mechanism, e.g: - certificate info could be queried via pj_ssl_sock_get_info(). - application can check whether certificate has been received by calling pj_ssl_sock_get_info() in on_connect_complete(). - bypassing CA cert verification could be implemented without exporting the verification callback to application. Also the existing mechanism seems suitable for other SSL back-ends, e.g: Symbian CSecureSocket. So, basically we haven't seen any advantage of exporting the verification callback other than possibility of optimization in SSL handshake, i.e: immediately stopping the handshake when verification fails. BR, nanang On Sat, Jan 30, 2010 at 12:09 AM, Nanang Izzuddin <nanang at pjsip.org> wrote: > Hi, > > Just updated ticket #1032. > > Thanks for the suggestion. > > BR, > nanang > > > On Fri, Jan 29, 2010 at 10:52 PM, Pierre-Luc Bacon > <pierre-luc.bacon at savoirfairelinux.com> wrote: >> At the moment it seems that the callback on SSL_CTX_set_verify is being set to NULL : >> >> pjproject/pjlib/src/pj/ssl_sock_ossl.c >> 469: ? ?SSL_CTX_set_verify(ctx, mode, NULL); >> >> pjproject/pjsip/src/pjsip/sip_transport_tls_ossl.c >> 460: ? ?SSL_CTX_set_verify(ctx, mode, NULL); >> >> However, I think one could make a great use of it if it were available from the client (ie. the "implementer"). The use case of particular interest for me is to give the user the ability to see information and to get notified when a server certificate is received (just as Firefox or any browser does). Also, if the client does not already have the required CA files installed locally on her computer, that might be just enough to "confirm" the process. >> >> I don't how you (Benny) feel about "leaking" some of OpenSSL in the library, but considering its widespread use, I don't see much of a problem with this. >> >> Thank you, >> Pierre-Luc Bacon >> >> _______________________________________________ >> Visit our blog: http://blog.pjsip.org >> >> pjsip mailing list >> pjsip at lists.pjsip.org >> http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org >> >
