During the test of my C code using OpenSSL, I noticed that even though
CA certs were not loaded, SSL verification succeeded unexpectedly.
Attached below is a simplified code that demonstrates what I have been
seeing. I intentionally commented out the section where tries to load
CA certs, but
I ran the same test with OpenSSL v0.9.8o on linux. As soon as
verifyCallback is returned 0, connect() fails with the CERT_UNTRUSTED
error from SSL_get_verify_result() as expected. Here's the log:
OpenSSL 0.9.8o 01 Jun 2010
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
After some more investigation, the problem seems to happen only with
OpenSSL (v0.9.8r) preinstalled with Mac OS X 10.6.8.
If the test program is linked against *locally* built 0.9.8r,
CERT_UNTRUSTED is correctly reported by SSL_get_verify_result().
Log:
OpenSSL 0.9.8r 8 Feb 2011
compiler: cc
CERT_UNTRUSTED correctly)
Thanks.
On Wed, Nov 16, 2011 at 2:53 PM, Yutaka Takeda yt0...@gmail.com wrote:
After some more investigation, the problem seems to happen only with
OpenSSL (v0.9.8r) preinstalled with Mac OS X 10.6.8.
If the test program is linked against *locally* built 0.9.8r