On Thu, Jul 26, 2001 at 07:00:01PM +0300, Ori Yosefi wrote:
> I've been trying to write a server application that for some resources
> requests a client certificate from the user.
>
> I call SSL_CTX_load_verify_locations and SSL_CTX_set_client_CA_list before
> starting listening on the socket and then analyze the requests and for some
> requests I call SSL_set_verify with a callback function (with mode
> SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE).
>
> I then call SSL_renegotiate to actually request the certificate.
>
> I see that the connection is indeed renegotiated and that a client
> certificate is requested by the server. I also see that the server receives
> the client certificate (both through step debugging and through the info
> callback) but my call back function is never called.
...
Could you please apply the attached patch to the openssl-source and test
again?
It should bring the behaviour up to the state of the documentation :-)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
Index: crypto/x509/x509_vfy.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v
retrieving revision 1.46
diff -u -r1.46 x509_vfy.c
--- crypto/x509/x509_vfy.c 2000/09/22 21:32:07 1.46
+++ crypto/x509/x509_vfy.c 2001/07/27 17:24:27
@@ -911,6 +911,12 @@
ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
}
+void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+ int (*verify_cb)(int, X509_STORE_CTX *))
+ {
+ ctx->verify_cb=verify_cb;
+ }
+
IMPLEMENT_STACK_OF(X509)
IMPLEMENT_ASN1_SET_OF(X509)
Index: crypto/x509/x509_vfy.h
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/x509/x509_vfy.h,v
retrieving revision 1.33
diff -u -r1.33 x509_vfy.h
--- crypto/x509/x509_vfy.h 2000/09/06 13:24:10 1.33
+++ crypto/x509/x509_vfy.h 2001/07/27 17:24:27
@@ -382,6 +382,8 @@
int purpose, int trust);
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags);
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t);
+void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+ int (*verify_cb)(int, X509_STORE_CTX *));
#ifdef __cplusplus
}
Index: doc/ssl/SSL_CTX_set_options.pod
===================================================================
RCS file: /e/openssl/cvs/openssl/doc/ssl/SSL_CTX_set_options.pod,v
retrieving revision 1.1.2.3
diff -u -r1.1.2.3 SSL_CTX_set_options.pod
--- doc/ssl/SSL_CTX_set_options.pod 2001/07/21 11:04:35 1.1.2.3
+++ doc/ssl/SSL_CTX_set_options.pod 2001/07/27 17:24:28
@@ -129,6 +129,13 @@
Also use ephemeral (temporary) RSA key when doing RSA operations
(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
+According to the specifications this is only done, when a RSA key
+can only be used for signature operations (namely under export ciphers
+with restricted RSA keylength). By setting this option, ephemeral
+RSA keys are always used. This option breaks compatibility with the
+SSL/TLS specifications and may lead to interoperability problems with
+clients and should therefore never be used. Ciphers with EDH (ephemeral
+Diffie-Hellman) key exchange should be used instead.
=item SSL_OP_PKCS1_CHECK_1
Index: ssl/ssl_cert.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl_cert.c,v
retrieving revision 1.35.2.2
diff -u -r1.35.2.2 ssl_cert.c
--- ssl/ssl_cert.c 2001/03/22 15:00:45 1.35.2.2
+++ ssl/ssl_cert.c 2001/07/27 17:24:28
@@ -461,6 +461,8 @@
X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
+ X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
+
if (s->ctx->app_verify_callback != NULL)
i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
else
Index: ssl/ssl_lib.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl_lib.c,v
retrieving revision 1.74.2.6
diff -u -r1.74.2.6 ssl_lib.c
--- ssl/ssl_lib.c 2001/07/16 10:50:49 1.74.2.6
+++ ssl/ssl_lib.c 2001/07/27 17:24:28
@@ -1293,8 +1293,6 @@
{
ctx->verify_mode=mode;
ctx->default_verify_callback=cb;
- /* This needs cleaning up EAY EAY EAY */
- X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
}
void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
