On Sun, Aug 08, 1999 at 06:24:04PM -0700, Claus Assmann wrote:
> I use some slightly different code
> than your example which worked for my tests:
>
> init:
> SSL_CTX_set_verify(ctx, SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER, verify_cb);
>
> static int verify_cb(int ok, X509_STORE_CTX *ctx) { return 1; }
>
> Is this "equivalent" to your example code?
No, not quite. As you observed, verify_cb is called multiple times.
Without verify_cb, certificate chain validition stops as soon as a
problem is found (see internal_verify in crypto/x509/x509_vfy.c). So
in one case ctx->error contains the first error, while with that
verify_cb it contains the last error (and you end up checking more
signatures than necessary for finding out that you don't want to
trust the certificate).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
