Re: Problem using SSL_set_verify with a callback

Thu, 26 Jul 2001 13:12:14 -0700 

On Thu, Jul 26, 2001 at 07:00:01PM +0300, Ori Yosefi wrote:
> I've been trying to write a server application that for some resources
> requests a client certificate from the user.
> 
> I call SSL_CTX_load_verify_locations and SSL_CTX_set_client_CA_list before
> starting listening on the socket and then analyze the requests and for some
> requests I call SSL_set_verify with a callback function (with mode
> SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE).
> 
> I then call SSL_renegotiate to actually request the certificate.
> 
> I see that the connection is indeed renegotiated and that a client
> certificate is requested by the server. I also see that the server receives
> the client certificate (both through step debugging and through the info
> callback) but my call back function is never called.
> 
> Had I used the SSL_CTX_set_verify with a callback function before starting
> the connection the callback function would have been called.
> 
> Does this sound familiar to anyone? Is there a way to renegotiate a
> connection for client certificates and get a callback on a per connection
> basis (as opposed to a per context basis)?

I just had a look into the source. On the first glance it seems, that the
X509_STORE of SSL_CTX, that holds all information about the verification
environment, is directly used for the verification in
ssl/ssl_cert.c:ssl_verify_cert_chain(). In this X509_STORE the verify_callback
of the SSL_CTX is being used. The verify_callback you supplied to the
SSL object is stored into the object, but it is actually never used.
This seems to be a bug :-)

I'll have to go through this again to make sure that I did not miss
anything and then consider the best strategy to solve this problem.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to