I am using the following link ssl to my container structure, so is it possible 
to  get ssl from x509_ctx in verify_callback?
    SSL_set_app_data(ssl, this);

    int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);


________________________________
From: Lei Kong <leik...@msn.com>
Sent: Thursday, October 27, 2016 1:24:05 AM
To: openssl-users@openssl.org
Subject: SSL_set_verify with a context?


What I am trying to achieve is to allow some minor certificate chain validation 
errors, e.g. "CRL unavailable", based on my per-session configuration. I am 
think of using my verify callback to record the errors.

void SSL_set_verify(SSL *s, int mode, int (*verify_callback)(int, 
X509_STORE_CTX *));

int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);


Given the above interfaces, it seems I cannot set the callback with a context, 
which is needed to link a callback instance to my SSL session for error 
tracking. Yes, I can use SSL_get_verify_result to get the error afterwards, but 
is it guaranteed that the most severe error is always returned by 
SSL_get_verify_result? For example, I don't want "unable to get CRL" to mask 
other more important errors.


I would rather avoid repeating validating the whole chain manually after 
default validation is completed, is it possible to achieve my goal without 
repeating chain validation manually?


Any comment will be appreciated.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to