On Sat, Oct 07, 2000 at 08:19:52PM +0200, Lutz Jaenicke wrote:
> ...
> int verbose_mode;
> int verify_depth;
> int always_continue;
> ...
> static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
> {
> char buf[256];
> X509 *err_cert;
> int err, depth;
>
> err_cert = X509_STORE_CTX_get_current_cert(ctx);
> err = X509_STORE_CTX_get_error(ctx);
> depth = X509_STORE_CTX_get_error_depth(ctx);
>
> X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
>
> if (preverify_ok && (depth > verify_depth)) {
> preverify_ok = 0;
> err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
> X509_STORE_CTX_set_error(ctx, err);
> }
> if (!preverify_ok) {
> printf("verify error:num=%d:%s:depth=%d:%s\n", err,
> X509_verify_cert_error_string(err), depth, buf);
> }
> else if (verbose_mode)
> {
> printf("depth=%d:%s\n", depth, buf);
> }
>
> /*
> * At this point, err contains the last verification error. We can use
> * it for something special
> */
> if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)
> {
> X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
> printf("issuer= %s\n", buf);
> }
>
> if (always_continue)
> return 1;
> else
> return preverify_ok;
> }
> ...
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
> verify_callback);
> ...
> SSL_accept(ssl); /* check of success left out for clarity */
> if (peer = SSL_get_peer_certificate(ssl))
> {
> if (SSL_get_verify_result(ssl) == X_509_OK)
^^^^^^^^
should not that be X509_V_OK?
Bye
Richard
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
