Hello list,
on the server-side I want to verify manually the certificate that the
client sent, thus I am using SSL_CTX_set_cert_verify_callback() to a
callback that always does "return 1", and I run all custom checks later.
Is the CertificateVerify message sent from client to server still checked
for validity, even though the cert_verify_callback is overriden? If it is,
then how do I get notified in case a malicious host tries to forge the
CertificateVerify message? Is there a particular return code from
SSL_accept?
Thanks in advance,
Dimitris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
