Am 08.02.2010 13:15, schrieb Nanang Izzuddin: > Hi Pierre, > > Just want to revisit this topic again :) > > First, let me clarify that the issue added in ticket #1032 is about > giving a chance for application to "override" negative result in > certificate verification, not really the main idea you've suggested, > which was about exporting/escalating OpenSSL verification callback in > its 'native' way (including leaking some OpenSSL data), did I get it > wrong? > > A reason behind 'ignoring' your main idea was that the use-case > samples you've given can be handled by the existing mechanism, e.g: > - certificate info could be queried via pj_ssl_sock_get_info(). > - application can check whether certificate has been received by > calling pj_ssl_sock_get_info() in on_connect_complete(). > - bypassing CA cert verification could be implemented without > exporting the verification callback to application. > Also the existing mechanism seems suitable for other SSL back-ends, > e.g: Symbian CSecureSocket. > > So, basically we haven't seen any advantage of exporting the > verification callback other than possibility of optimization in SSL > handshake, i.e: immediately stopping the handshake when verification > fails. Maybe there is a benefit when sombody has existing code which used OpenSSL directly and want to reuse it, or of certificate details are needed. But anyway, Pierre requested it .... klaus
