Thanx for your reply. But about question 3. : which API returns "Peer cert
verify depth=2"? Which function returns the depth or where can I find it?
Once more TIA,
Robin
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Lutz Jaenicke
Sent: vrijdag 4 mei 2001 15:59
To: [EMAIL PROTECTED]
Subject: Re: newbie question : Verification callback
(SSL_CTX_set_verify, SSL_set_verify)
On Fri, May 04, 2001 at 02:56:33PM +0200, Robin Gorris wrote:
> I have some questions on the verification callback function. By the way,
I'm
> using the SSL_VERIFY_PEER mode.
>
> 1. Is it best practice to put all the certificate checks in this callback
> function?
Yes, I would recommend doing so, as by the return value of the verification
callback you can decide whether you want to continue the handshake or
stop with a corresponding alert.
> 2. Is it so that the number of times this function is called is equal to
> the verification depth used?
Yes and no.
Yes: If no error is encountered, the callback is called once for
each level with "preverify_ok = 1", so that the callback has the last
word for each level.
No: If errors are encounterd, the verify callback is called
for each error found.
> 3. If so, how do I get to know the verification depth at runtime? I'll be
> more specific on this : if I wanted to add an extra check only for the
last
> certificate in the chain (that of the client), how would I do this?
The check is performed starting with the root CA, which has the highest
level count. The check is finished for the server (or client) certificate
at level "0".
My email server's certificate (serv01) was issued by our universities CA
(BTU CA), which was issued by the german research network's root CA
(DFN-PCA). The extended logs of a connection from Postfix/TLS look
like this:
...
May 4 15:51:15 ws01 postfix/smtp[22785]: Peer cert verify depth=2
/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification
[EMAIL PROTECTED]
May 4 15:51:15 ws01 postfix/smtp[22785]: verify return:1
May 4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=1
/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet
[EMAIL PROTECTED]
May 4 15:51:16 ws01 postfix/smtp[22785]: verify return:1
May 4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=0
/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet
Cottbus/OU=Allgemeine Elektrotechnik und Numerische
[EMAIL PROTECTED]
e
May 4 15:51:16 ws01 postfix/smtp[22785]: verify return:1
...
Therefore you have to make the last check, when level 0 is reached (and
preverify_ok = 1).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
