I wanted to allow for the handling of CRLs. There is a comment in
X509_verify_cert() that indicates where CRL handling can be placed. But
this is in the library code and therefore not appropriate for private
code.
The verify callback, though, is an opportunity to check against CRLs
without affecting the library.
To summarise: Yes, you can write your own verify callback. Yes, I will
write my own. But, as a documentation measure, shouldn't the supplied
callback LOOK like a real verify callback?
I assume the bent nature of the supplied callback is because it would be
difficult to set up the appropriate certificates to allow s_server and
s_client to communicate, but Hey! wouldn't this be useful for people
REALLY trying to use the code?
(I am not criticising the code. I think you guys are doing a great job.
I'm just making notes.)
BTW I haven't looked closely at X509_verify_cert(). I am treating the
code as a library and using callbacks, etc to customise its
functionality.
ABTW Has anyone analysed the significance of the return codes. The
values (in SSL) seem to be -2, -1, 0 or >0 but the significance of -2,
-1 and 0 escapes me. 0 seems to arise if an ERROR occurs, -1 for
EWOULDBLOCK and most other times and the strange -2 one. I think it
would be really nice if the codes were possibly: -1 (error) 0 (not
enough data) >0 (no error). This would simplify the API as
SSL_get_error() would only need to be called if there were an error.
Ron.
> -----Original Message-----
> From: Jason Cherry [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, May 05, 1999 6:13 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: X509_STORE_load_locations
>
> You can write your own callback in replacement for the cb (default)
> one.
>
> No your probably correct. If your using certs with the SSL part of the
> library, check out the files in the ssl directory, there are things in
> there
> like useCertificate ... which are handy.
>
> Your probably correct about the X509_STORE_load_locations() function,
> but when verifying
> it should tell you that it can't find the Issuer cert.
>
> BTW if you step through it (the ssleay verify function) and can figure
> out what its doing
> when its doing the hashing of the CA certificates. Let me know, it
> must the most
> convoluted things I've ever seen.
>
> Good Luck
>
> Jason.
>
> P.S
>
> I'll be away for two weeks, so I may not be able to reply very quickly
> after today.
>
>
>
> -----Original Message-----
> From: Ron Ramsay [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, May 05, 1999 4:50 PM
> To: '[EMAIL PROTECTED]'
> Subject: X509_STORE_load_locations
>
> X509_STORE_load_locations() ignores the return value from
> X509_LOOKUP_load_file().
>
> Giving the wrong name of the file containing the CA certificate will
> not
> produce any errors until the code is required to verify a certificate.
>
> Note that the sample callback (verify_callback()) for
> X509_verify_cert()
> always converts NOT_OK to OK if the depth is less than (10). This
> doesn't seem to be a good idea. Am I missing something?
>
> I'm using OpenSSL 0.9.2b.
>
> Ron.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
