On Tue, Feb 04, 2014, Dimitrios Apostolou wrote: > Hello list, > > on the server-side I want to verify manually the certificate that > the client sent, thus I am using SSL_CTX_set_cert_verify_callback() > to a callback that always does "return 1", and I run all custom > checks later. > > Is the CertificateVerify message sent from client to server still > checked for validity, even though the cert_verify_callback is > overriden? If it is, then how do I get notified in case a malicious > host tries to forge the CertificateVerify message? Is there a > particular return code from SSL_accept? >
The certificate verify callback is only used for certificate chain validation. If it fails the handshake is aborted and CertificateVerify is not even examined. If it is successful the CertificateVerify signature is checked. If the CertificateVerify check fails the handshake is aborted with a fatal alert (SSL_AD_DECRYPT_ERROR). You don't get a specific return code from SSL_accept but an error will appear in the queue. The precise error will depend on the algorithm in use: see the ssl3_get_cert_verify functions for details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
