Thanks, this answers my question with great detail!
On Tue, 4 Feb 2014, Dr. Stephen Henson wrote:
On Tue, Feb 04, 2014, Dimitrios Apostolou wrote:
Hello list,
on the server-side I want to verify manually the certificate that
the client sent, thus I am using SSL_CTX_set_cert_verify_callback()
to a callback that always does "return 1", and I run all custom
checks later.
Is the CertificateVerify message sent from client to server still
checked for validity, even though the cert_verify_callback is
overriden? If it is, then how do I get notified in case a malicious
host tries to forge the CertificateVerify message? Is there a
particular return code from SSL_accept?
The certificate verify callback is only used for certificate chain validation.
If it fails the handshake is aborted and CertificateVerify is not even
examined. If it is successful the CertificateVerify signature is checked.
If the CertificateVerify check fails the handshake is aborted with a fatal
alert (SSL_AD_DECRYPT_ERROR). You don't get a specific return code from
SSL_accept but an error will appear in the queue. The precise error will
depend on the algorithm in use: see the ssl3_get_cert_verify functions for
details.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
