"Fisk, Kevin" wrote:
>
> On the client side, you also need the lines:
>
> SSL_CTX_use_PrivateKey_file(ctx, "client.pem", SSL_FILETYPE_PEM);
> SSL_CTX_use_certificate_file(ctx, "client.pem", SSL_FILETYPE_PEM);
>
> And, on the server side, you need a verifier function.
>
> int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
> // return true to allow the connection or false to reject it.
> }
>
You don't need a verify_callback function most of the time unless you
are customizing the verify behaviour.
Setting one which returns true all the time while OK for test purposes
is a security hole in a real system. This is because it will accept any
certficate the client presents and ignore such things as whether the
issuer is trusted.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
