Hello, thanks for answering; my bad for picking wrong mailing list; but since you have already answered please let me elaborate: SSL_set_retry_verify is supposed to be a mechanism through which we can implement asynchronous verification callback. It is supposed to be called from the certificate verification callback, and this should allow subsequent processing to in effect re-invoke the callback once again. It is heavily under documented in curl, the only info is here: https://curl.se/libcurl/c/CURLOPT_SSL_CTX_FUNCTION.html - For OpenSSL, asynchronous certificate verification via SSL_set_retry_verify is supported. (Added in 8.3.0) What works: cert verify callback is invoked, I call SSL_set_retry_verify() and return the callback. Next time curl_multi_perform/curl_multi_socket_action is invoked, the callback is re-invoked. I have planned to trigger this via curl_multi_perform based on the cert verification logic finishing. The issue is that on the CURL side, it seems only minimal logic was added: https://github.com/curl/curl/pull/11499/files This means that since at the moment when the callback is invoked the underlying socket is scheduled into our event loop for curl_multi_socket_action to be invoked when it is readable, which it is at least in our case the whole time, we busy loop. I would unschedule the relevant fds, however we use multiple easy handles within the multi handle, and am afraid doing it based on CURL* parameter of CURLMOPT_SOCKETFUNCTION due to the comment there as I have mentioned; if this approach is unreliable and happens in production, it would be bad. Please note that this is part of trying to replace SecureTransport on Apple, where verification of certificates via system is typically performed asynchronously... Ondrej
On Fri, Aug 8, 2025 at 4:19 PM Daniel Stenberg <dan...@haxx.se> wrote: > On Fri, 8 Aug 2025, Ondra via curl-users wrote: > > You might enjoy the curl-library mailing list more, as that focuses on > libcurl and this list is more curl tool oriented. > > > Proper approach how to do this seems to be to use > *CURLOPT_SSL_CTX_FUNCTION > > to register custom ctx function from which > *SSL_CTX_set_cert_verify_callback > > can be used to register a verify callback. > > > > When this cert_verify_callback is invoked, I obtain the chain of > > certificates and post it for verification. Then I “return > > SSL_set_retry_verify(ssl);” from it. > > This works, however the problem is that the sockets scheduled by multi on > > behalf of this easy are not unscheduled; thus we busy loop until the cert > > verification finishes. > > This explanation seems to leave something out. How can libcurl call a > callback > and wait for its return and at the same time run in a busy-loop? > > -- > > / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
