Just double-checking: As far as I have seen openSSL's SSL_CTX_set_cert_verify_callback() is not implemented inside the compatibility layer? I am asking because of
http://www.ietf.org/mail-archive/web/syslog/current/msg01963.html Thanks, Rainer On Wed, May 21, 2008 at 1:53 PM, Nikos Mavrogiannopoulos <[EMAIL PROTECTED]> wrote: > Rainer Gerhards wrote: >> Hi Nikos, >> >> On Wed, May 21, 2008 at 1:08 PM, Nikos Mavrogiannopoulos >> <[EMAIL PROTECTED]> wrote: >>> Simon Josefsson wrote: >>> >>>>> I still would see a lot of benefit in being able to check the remote >>>>> peers identity BEFORE the Finished message is sent. That way, I could >>>>> block access to not permitted peers at the risk of the DoS outlined >>>>> above. Am I still overlooking something? >>>> No, I think that is correct. Nikos, any thoughts? You added some >>>> callbacks during the handshake earlier, are any of those useful here? >>> No unfortunately not. The callbacks I added are called after client >>> hello is received. The callbacks you discuss need to be called after the >>> certificate message is received. >> >> Could you point me to the file where processing the certificate >> message is done? I would be interested to see if I could add a >> callback, and may it even just be to know how it is done ;) > > The file is gnutls_handshake.c. The functions you're interested in are > _gnutls_handshake_client, _gnutls_handshake_server (if you're doing it > for both of them). > > A similar callback is _gnutls_user_hello_func which is the post_hello > callback. > > I'd glad to review and commit and patches for this issue. > > regards, > Nikos > _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
