I ran the same test with OpenSSL v0.9.8o on linux. As soon as
verifyCallback is returned 0, connect() fails with the CERT_UNTRUSTED
error from SSL_get_verify_result() as expected. Here's the log:
OpenSSL 0.9.8o 01 Jun 2010
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
After some more investigation, the problem seems to happen only with
OpenSSL (v0.9.8r) preinstalled with Mac OS X 10.6.8.
If the test program is linked against *locally* built 0.9.8r,
CERT_UNTRUSTED is correctly reported by SSL_get_verify_result().
Log:
OpenSSL 0.9.8r 8 Feb 2011
compiler: cc
Sorry... there was a typo:
Incorrect:
Default build: darwin64-x86_64-cc (did not detect CERT_UNTRUSTED)
Local build: darwin64-x86_64-llvm (detected CERT_UNTRUSTED correctly)
Correct:
Default build: darwin64-x86_64-llvm (did not detect
CERT_UNTRUSTED)Local build: darwin64-x86_64-cc (detected
During the test of my C code using OpenSSL, I noticed that even though
CA certs were not loaded, SSL verification succeeded unexpectedly.
Attached below is a simplified code that demonstrates what I have been
seeing. I intentionally commented out the section where tries to load
CA certs, but