Good to see that the message had triggered a nice discussion. Now things are clear.
Thanks for all.
Samy
|
Kyle Hamilton <[EMAIL PROTECTED]> Sent by:
03.02.2006 03:27
|
|
On 2/2/06, Alain Damiral <[EMAIL PROTECTED]> wrote:
> OK I understand.
>
> By subsequent transactions I originally thought you meant during the
> same session.
>
> I apologize for diverting from the problem of the original poster.
>
> Maybe I can redeem myself by pointing to the example callback function:
> http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
>
> and suggest trying to use
> http://www.openssl.org/docs/ssl/SSL_get_verify_result.html
>
> then test for return value 18 = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> to deal with self signed certificates. Hope this is useful :)
static int my_verify_routine(int preverify, X509_CTX *certcontext)
{
assert(preverify == 1 || preverify == 0); // sanity check to point
out bugs in openssl
if (preverify == 1) {
// If the certificate passes the verify checks, allow it
return 1;
}
switch (X509_STORE_CTX_get_error(certcontext)) {
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
return 1;
default:
return 0;
}
/*NOTREACHED*/
return 0;
}
[...]
SSL_CTX_set_verify(sslcontext, SSL_VERIFY_PEER | SSL_FAIL_IF_NO_PEER_CERT,
my_verify_routine);
[...]
if I understand how this is properly overridden with no additional
data stored in the SSL structure? (There's precious little
documentation on the X509_STORE_CTX functions -- this is partly
obtained from the sample code in SSL_CTX_set_verify(3) manpage.)
-Kyle H
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
