On Sun, Aug 08, 1999 at 03:05:26PM +0000, Bodo Moeller wrote:
> Claus Assmann <[EMAIL PROTECTED]>:
[...]
>> how do I correctly set the verify_mode? Reading the code,
>> SSL_VERIFY_CLIENT_ONCE and SSL_VERIFY_PEER seem to be useful for
>> my purpose (try to verify the client, but don't fail).
[...]
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT should not be set for your
> application, obviously. Verification will still fail and the protocol
> be aborted if the client presents a certificate and OpenSSL does not
> like it. To change this behaviour, you don't have to provide an X.509
> verification callback with SSL_CTX_set_verify (as s_client, s_server
> and ssltest do); you can use SSL_CTX_set_cert_verify_callback, which
> sets a higher level callback (app_verify_callback). All this is still
> quite confusing in the library source code -- the naming is not alway
> consistent, and various members of the structures are never used. The
> relevant code for this is the following in ssl_verify_cert_chain
> (ssl/ssl_cert.c; this extract is simplified by hand-processing the
> #ifndef):
>
> if (s->ctx->app_verify_callback != NULL)
> i=s->ctx->app_verify_callback(&ctx);
> else
> i=X509_verify_cert(&ctx);
>
> s->verify_result=ctx.error;
>
> SSL_CTX_set_cert_verify_callback takes two arguments, the second of
> which is never used. Obviously the idea was the second one would be
> passed to the callback -- this will likely be done so in OpenSSL
> 0.9.5. All your callback has to do is call X509_verify_cert and
> return 1 if that function returned 0. X509_verify_cert sets
> ctx.error, so that the application can see that something went wrong.
Unfortunately it turns out this advice was wrong because the value
stored in ctx.error is not restored when a session is resumed -- it
will contain X509_V_OK regardless of whether the peer's certificate
could be verified or not. The next snapshot should fix this problem.
To remove the security holes in my example code, add an #if as below
(and don't use stale OpenSSL snapshot versions that pass the #if test
but don't avoid the problem).
> Example code:
>
> static int
> verify_dont_fail_cb(X509_STORE_CTX *c)
> {
> int i;
>
> i = X509_verify_cert(c); /* sets c->error */
#if OPENSSL_VERSION_NUMBER >= 0x00905000L
> if (i == 0)
> return 1;
> else
#endif
> return i;
> }
>
>
> SSL_CTX *
> tls_create_ctx(..., int fail_unless_verified_p, ...)
> {
> .....
>
> SSL_CTX_set_verify(ret, SSL_VERIFY_PEER | (fail_unless_verified_p ?
>SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), 0);
> if (!fail_unless_verified_p)
> SSL_CTX_set_cert_verify_callback(ret, verify_dont_fail_cb, NULL);
>
> .....
> }
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
