Dr S N Henson wrote: >Joerg Bartholdt wrote: > >>Hi *, >> >>During the SSL Handshake, OpenSSL can call a verify_callback >>that can manipulate the outcome of the certificate verification >>process. >>If I use some longterm evaluation like an OCSP-Request, my single >>threaded application is blocked during this time. I cannot return >>a value like "I don't know yet, ask later" - I have to have the >>decision before I return from the callback. >>So, there is no change for handling other connections (I usually use >>select() and async IO to handle multiple connection which OpenSSL >>can do pretty well in all other states...) during that time. >> >I'm not sure this has ever been tested but it looks like you can handle >this by returning -1 from the verify callback instead of the normal >1=success or 0=failure. There's some code in place that handles this in >a manner analagous to other non-blocking operations using a special >condition SSL_ERROR_WANT_X509_LOOKUP. > Hm, I just tried it, but "-1" accepts the certificate. Maybe I have to set something in the X509_STORE which is given as a parameter to the verify_callback? I'll have a look into the code, maybe I find something.
Thanks so far. Jörg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
