On Sun, Feb 17, 2013, Jeremy Harris wrote: > On 02/16/2013 10:51 PM, Dr. Stephen Henson wrote: > >So you could supply an application defined callback that just calls > >X509_verify_cert too which keeps the current behaviour. If that call is > >successful you can then note the chain for future use using > >X509_STORE_CTX_get1_chain(). > > That's fine except that we're using SSL_CTX_set_verify() callback already > and the docs say it and SSL_CTX_set_cert_verify_callback() should not > be mixed. >
That explanation could be clearer. In this case it's fine to mix the two. In more detail... If you set a callback with SSL_CTX_set_verify() it can completely take over the whole verification operation and do things in a completely different way. It has no obligation to honour the way the verify callback for the standard verification routine X509_verify_cert() works so an application which replaces both cani't rely on it behaving as they might expect. In this specific example though the replacement for X509_verify_cert would actually call X509_verify_cert and process the certificate chain after that call. So it would retain the functionality of the original. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org