On Fri, Aug 09, 2013, Florian Weimer wrote: > Qt installs a verification callback like this > > | // Register a custom callback to get all verification errors. > | X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback); > > ctx is an SSL_CTX *. This callback is invoked not just to verify > the server certificate, but also when OpenSSL tries to complete the > certificate chain before sending the client certificate. OpenSSL > clears errors resulting from this, but it cannot roll back the > effects of calling the callback. Are these callback invocations > expected behavior? >
This is expected behaviour for OpenSSL 1.0.1 and earlier where the same parent SSL_CTX store is used for both chain building and peer chain verification. If an application only wants to set a callback for verification of peer chains it should instead set the callback using SSL_CTX_set_verify(). OpenSSL 1.0.2 and later will support separate stores for chain building and peer verification. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
