> On Sep 11, 2018, at 2:09 AM, Armen Babikyan <armen.babik...@gmail.com> wrote:
>
> I have a question regarding openssl and verification of client certificates.
> Is there a way to have an openssl-enabled server ask for a client
> certificate, and when it receives one it can't verify, rather than
> immediately terminating the handshake, it would allow the connection, but
> pass some context about the failed verification to the calling application?
Yes.
> It appears that what I want is not possible from the SSL_VERIFY_* options
> presented here:
Actually, SSL_VERIFY_PEER is the right choice, but you also need a
non-null verification callback that continues (by returning 1)
despite failures to verify the client certificate.
You can check the verification status at the completion of the
handshake via SSL_get_verify_result(3).
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users