On Sat, Mar 09, 2013 at 11:04:06AM -0600, Ian Pilcher wrote:
> It's becoming pretty clear that OpenSSL doesn't provide a simple way to
> do this today. (X509_V_FLAG_PARTIAL_CHAIN will probably enable this,
> but it will be years before that makes its way into slower moving
> distributions.)
>
> > Alternatively, you might play around with policies, but that relies on
> > your hierarchy already having policies in its certificates.
>
> My current thinking is that I should be able to do it with a validation
> callback. I haven't worked out the details yet.
Yes, SSL_CTX_set_verify() or SSL_set_verify() allow you to validate
the trust chain yourself.
Note: Contrary to documentation the callback order is not necessarily
from the root down to the leaf in a single pass, rather this is only
the final list of callbacks. Prior callbacks may report other issues
in some other order (only error reports, never with ok=1).
Thus you may need to keep some state which you evaluate each time
the callback is made at depth 0. By final depth 0 call you'll
have all the required information and will be able to allow
or reject the connection (or just update its verification status
without failing the handshake).
This is the approach taken in the Postfix DANE implementation
(under development).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
