Re: Verify callback and sending of the client certificate
On Fri, Aug 09, 2013, Florian Weimer wrote: > Qt installs a verification callback like this > > |// Register a custom callback to get all verification errors. > |X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback); > > ctx is an SSL_CTX *. This callback is invoked not just to verify > the server certificate, but also when OpenSSL tries to complete the > certificate chain before sending the client certificate. OpenSSL > clears errors resulting from this, but it cannot roll back the > effects of calling the callback. Are these callback invocations > expected behavior? > This is expected behaviour for OpenSSL 1.0.1 and earlier where the same parent SSL_CTX store is used for both chain building and peer chain verification. If an application only wants to set a callback for verification of peer chains it should instead set the callback using SSL_CTX_set_verify(). OpenSSL 1.0.2 and later will support separate stores for chain building and peer verification. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verify callback and sending of the client certificate
On 08/09/2013 01:18 PM, Peter Sylvester wrote: On 08/09/2013 11:17 AM, Florian Weimer wrote: Qt installs a verification callback like this |// Register a custom callback to get all verification errors. |X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback); It is not recommended to access to members in the way above, but rather: X509_STORE_set_verify_cb_func(SSL_CTX_get_store(ctx), q_X509Callback); I think you mean SSL_CTX_get_cert_store, and this is unrelated to my question. :-) -- Florian Weimer / Red Hat Product Security Team __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verify callback and sending of the client certificate
On 08/09/2013 11:17 AM, Florian Weimer wrote: Qt installs a verification callback like this |// Register a custom callback to get all verification errors. |X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback); It is not recommended to access to members in the way above, but rather: X509_STORE_set_verify_cb_func(SSL_CTX_get_store(ctx), q_X509Callback); /P __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Verify callback and sending of the client certificate
Qt installs a verification callback like this |// Register a custom callback to get all verification errors. |X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback); ctx is an SSL_CTX *. This callback is invoked not just to verify the server certificate, but also when OpenSSL tries to complete the certificate chain before sending the client certificate. OpenSSL clears errors resulting from this, but it cannot roll back the effects of calling the callback. Are these callback invocations expected behavior? -- Florian Weimer / Red Hat Product Security Team __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org