On Fri, May 04, 2001 at 02:56:33PM +0200, Robin Gorris wrote: > I have some questions on the verification callback function. By the way, I'm > using the SSL_VERIFY_PEER mode. > > 1. Is it best practice to put all the certificate checks in this callback > function? Yes, I would recommend doing so, as by the return value of the verification callback you can decide whether you want to continue the handshake or stop with a corresponding alert. > 2. Is it so that the number of times this function is called is equal to > the verification depth used? Yes and no. Yes: If no error is encountered, the callback is called once for each level with "preverify_ok = 1", so that the callback has the last word for each level. No: If errors are encounterd, the verify callback is called for each error found. > 3. If so, how do I get to know the verification depth at runtime? I'll be > more specific on this : if I wanted to add an extra check only for the last > certificate in the chain (that of the client), how would I do this? The check is performed starting with the root CA, which has the highest level count. The check is finished for the server (or client) certificate at level "0". My email server's certificate (serv01) was issued by our universities CA (BTU CA), which was issued by the german research network's root CA (DFN-PCA). The extended logs of a connection from Postfix/TLS look like this: ... May 4 15:51:15 ws01 postfix/smtp[22785]: Peer cert verify depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] May 4 15:51:15 ws01 postfix/smtp[22785]: verify return:1 May 4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=1 /C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] May 4 15:51:16 ws01 postfix/smtp[22785]: verify return:1 May 4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=0 /C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet Cottbus/OU=Allgemeine Elektrotechnik und Numerische [EMAIL PROTECTED] May 4 15:51:16 ws01 postfix/smtp[22785]: verify return:1 ... Therefore you have to make the last check, when level 0 is reached (and preverify_ok = 1). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]