On Thu, 2008-05-29 at 12:44 +0200, Rainer Gerhards wrote: > On Thu, 2008-05-29 at 10:12 +0200, Balazs Scheidler wrote: > > On Thu, 2008-05-29 at 09:45 +0200, Rainer Gerhards wrote: > > > Inline... > > > > -----Original Message----- > > > > From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, May 29, 2008 2:32 AM > > > > To: Rainer Gerhards; [email protected] > > > > Subject: RE: [Syslog] Fingerprint/handshake > > > > > > > > Hi Rainer, > > > > > > > > A TLS alert could be sent by the server indicating the error condition. > > > > Would this help? > > > > > That's an interesting idea. Let me give it a try. Will provide feedback > > > when I have done this. In any case, if it turns out to be a problem with > > > one library, we may be better of mandating that all verification is done > > > during the handshake... > > > > By the way, I've read in your implementation report that it is not > > possible to terminate the handshake with OpenSSL either. This is not the > > case, you can do that. > > Ah, good to know. So it looks like this is a single-library problem, > about which the standard should obviously not care. > > Bazsi, could you do me a favor and let me know which callback you use, > so that I can get to the specifics (also for the GnuTLS folks). I'd > really appreciate that. >
In OpenSSL the complete peer validation process can be changed by using SSL_CTX_set_cert_verify_callback(), it gets X509_STORE populated with the peer supplied key chain and returns whether the validation failed. If the callback returns failure, an alarm is sent back to the peer depending on the error code that is returned by this callback. -- Bazsi _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
