Hello,
we would like to do our own verification of client certificates, and to
that effect have written a module and a patch to mod_ssl that replaces
the verify callback with our own hook in ssl_hook_Access
(ssl_engine_kernel.c):
APR_OPTIONAL_FN_TYPE(custom_ssl_verify) *cust_verify = NULL;
cust_verify = APR_RETRIEVE_OPTIONAL_FN(custom_ssl_verify);
if (dc->nVerifyClient == SSL_CVERIFY_CUSTOM && cust_verify){
verify |= SSL_VERIFY_CLIENT_ONCE;
modssl_set_verify(ssl, verify, cust_verify);
} else {
modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);
}
and something similar in ssl_init_ctx_verify (in ssl_engine_init.c).
This works, but we don't have access to the cert chain when our callback
is called (SSL_get_peer_cert_chain returns a NULL pointer). Is this
normal (not yet filled in)? Or do we use the wrong callback/hook at the
wrong place?
Any help appreciated, (please CC, since I'm not on the list),
jos
