I am a bit confused. My verify_callback() routine does not seem to do
what it is supposed to.
Here is what I want: If a server presents a cert that is not signed by
one of my 'trusted' CAs, I don't want to connect. Period. As it is
now, it seems to log a message, then the SSL_connect() happily continues
on its way, connects, etc.
I think the problem is here, in the check of verify_depth and depth:
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
if (!ok)
{
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
sprintf(errbuf,"depth=%d %s\n",depth,buf);
log_error(errbuf);
sprintf(errbuf, "verify error:num=%d:%s\n", err,
X509_verify_cert_error_string(err));
log_error(errbuf);
if (verify_depth >= depth)
{
ok=1;
verify_error=X509_V_OK;
sprintf(errbuf, "verify_depth: %d, cert verified to depth: %d",
verify_depth, depth);
log_error(errbuf);
}
else
{
ok=0;
verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
sprintf(errbuf,"verify error:%s\n",
X509_verify_cert_error_string(verify_error));
}
This is the format that has been suggested to me, and what is used in
s_client. I am setting verify_depth to 1, and it gets verified to depth
0 when I don't have the CA cert available. It seems to me the
verification process _begins_ with the peer cert, _then_ goes to the CA
cert. If it cannot find the CA Cert, the 'verified' depth returns as
0. The verify_depth, of course, is 1. So shouldn't that comparison
read like this:
if (verify_depth < depth)
??
TIA
L
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
