REMOVE ----- Original Message ----- From: "nicholas black" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 05, 2001 3:57 PM Subject: bug and solution wrt SSL_set_verify()
> hey there. my software's operating in both client and server mode, and > needs a different verify function depending on the two. > > i've used SSL_CTX_set_verify() to set the default callback. i'm usually > acting as a server, so i set it to my client cert verification function. > > when i want to connect to my server, i first get a new SSL * with > SSL_new(), then attempt to change the callback function via > SSL_set_verify(). said function is never called. > > i believe i have traced the problem to the following code: > > SSL_CTX_set_verify sets the cb for its cert store in ssl/ssl_lib.c: > > ctx->verify_mode=mode; > ctx->default_verify_callback=cb; > /* This needs cleaning up EAY EAY EAY */ > X509_STORE_set_verify_cb_func(ctx->cert_store,cb); > > while SSL_set_verify only sets the SSL's callback: > > s->verify_mode=mode; > if (callback != NULL) > s->verify_callback=callback; > } > > then, in ssl_verify_cert_chain (ssl/ssl_cert.c), we call > X509_verify_cert with the CTX's cert store (line 469): > > i=X509_verify_cert(&ctx); > > and X509_verify_cert only has access to the cb member of ctx, which was > set by SSL_CTX_set_verify(), but not by SSL_set_verify() here in > crypto/x509/x509_vfy.c. > > cb=ctx->verify_cb; > if (cb == NULL) cb=null_callback; > > it seems this should be fixed by allowing X509_verify_cert a second > parameter, which is the callback if non-NULL. otherwise, use the > default callback. > > -- > nicholas black ([EMAIL PROTECTED]) -=- developer, trellis network security > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
