Ron Ramsay <[EMAIL PROTECTED]>:
[...]
> To summarise: Yes, you can write your own verify callback. Yes, I will
> write my own. But, as a documentation measure, shouldn't the supplied
> callback LOOK like a real verify callback?
Well, the one used by s_client and s_server allows you to see what the
library does not like about the peer's certificate chain, but still
allows communication to occur. That's convenient for testing
servers; but maybe there should be an option to enable strict
verification.
[...]
> ABTW Has anyone analysed the significance of the return codes. The
> values (in SSL) seem to be -2, -1, 0 or >0 but the significance of -2,
> -1 and 0 escapes me. 0 seems to arise if an ERROR occurs, -1 for
> EWOULDBLOCK and most other times and the strange -2 one. I think it
> would be really nice if the codes were possibly: -1 (error) 0 (not
> enough data) >0 (no error). This would simplify the API as
> SSL_get_error() would only need to be called if there were an error.
Where did you find -2? I have never seen that one.
For the functions that I can remember, 0 means EOF, -1 means an error
or EWOULDBLOCK. These codes quite closely follow the standard Unix
behaviour.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
