Hello, I have to apologize
that I’m sending this message to the dev. list. I’ve tried to send it to the
users list, but from some reason it’s not arriving. Thanks for
help, Sharon. Subject: Verify_callback problem in SSL_set_verify() vs. SSL_CTX_set_verify(). Hi to all, I’ve searched the mailing list before writing this
down, so I hope I’m not repeating already known problem. I found the following problem: when I using
SSL_CTX_set_verify (<context>, <verify_mode>, <verify_callback>)
– the callback IS called, but when I’m using SSL_set_verify (<ssl>, < verify_mode>,
<verify_callback>) – the callback is NOT performed (even that docs states
it’s the “same” functions, but on different levels). I did a small research and found that both settings
are used at the end in X509_verify_cert() and there is a callback which is
called from there and he is set from X509_STORE_CTX ctx->verify_cb. The problem is that in SSL_CTX_set_verify() setting of this specific callback is
done as in SSL_CTX there is a member called “cert_store” which has a member
“verify_cb” . Instead, in SSL_set_verify(), the input callback is saved to
ssl->verify_callback and this field is never used in X509_verify_cert(). I hope the problem is understood. For any questions -
you’re more then welcome to ask. If this is a bug - I think I have a proposal for
solution (not the whole one, but at least for the regular handshake flow): I
think the fix should be in ssl_verify_cert_chain() function (ssl_cert.c file)
and, approximately, it should be like this: X509_STORE_CTX
*store_ctx; SSL_CTX *ssl_ctx; SSL *ssl; If (ssl->verify_callback
!= NULL) store_ctx->verify_cb
= ssl->verify_callback; else
if (ssl_ctx->cert_store->verify_cb != NULL) store_ctx->verify_cb
= ssl_ctx->cert_store->verify_cb;
else store_ctx->verify_cb
= null_callback; I hope that if there is a problem – it will be fixed
soon, and if it’s not a problem but mine mistake – somebody will be kind and
will explain to me why I have this problem. Thanks a lot, Sharon. |