) and the like as mentioned in
X509_STORE_add_cert man page or something else ?
Regards,
Michel
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Viktor Dukhovni
Envoyé : lundi 30 mars 2020 23:19
À : openssl-users@openssl.org
Objet : Re: Peer certific
s again,
Jason
From: openssl-users on behalf of Viktor
Dukhovni
Sent: Monday, March 30, 2020 9:19 PM
To: openssl-users@openssl.org
Subject: Re: Peer certificate verification in verify_callback
On Mon, Mar 30, 2020 at 09:02:47PM +, Jason Schultz wrote:
> I won't get
of
> dealing with these type of errors was with setting a verify_callback()
> function, which is part of the description below.
The verify callback is mostly for logging and error reporting. It is
not intended to supplant the built-in verification logic. While it
can be used to ignore some
se type of
errors was with setting a verify_callback() function, which is part of the
description below.
I set up an X509_STORE object and then cycle through all of the certificate
files in /etc/ssl/certs/, open them, and call PEM_read_X509() to get an X509
(certificate) object and then
On Thu, Mar 05, 2020 at 02:04:27PM +, Jason Schultz wrote:
> I have some questions about my application’s verify_callback() function and
> how I handle some of the OpenSSL errors.
You're going about this the wrong way. Instead of tryign (likely
insecurely) to patch up verifica
On 30/03/2020 17:01, Jason Schultz wrote:
> For example, if my client application is presented a self-signed certificate
> in the handshake, verify_callback() is called with an error, for which
> X509_STORE_CTX_get_error() returns 18/X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT.
> In t
l.org
Subject: Peer certificate verification in verify_callback
I have some questions about my application’s verify_callback() function and how
I handle some of the OpenSSL errors.
For example, if my client application is presented a self-signed certificate in
the handshake, verify_callback
I have some questions about my application’s verify_callback() function and how
I handle some of the OpenSSL errors.
For example, if my client application is presented a self-signed certificate in
the handshake, verify_callback() is called with an error, for which
X509_STORE_CTX_get_error
> (why doesn't it use SSL_get_ex_data_X509_STORE_CTX_idx() instead of 0?).
History; OpenSSL reserved some exdata indices for itself.
In my verify callback (for 1.0.2, mind you), I use
X509_STORE_CTX_get_app_data(ctx) to get the SSL* pointer.
X509_STORE_CTX_get_app_data(ctx) is a macro in OpenSSL's "x509_vfy.h"
header file that maps to X509_STORE_CTX_get_ex_data(ctx,0) (why doesn't
it use SSL_get_ex_data_X509_STORE_CTX_idx()
On 02/08/2019 18:24, Neptune wrote:
> I am in the process of migrating our code from the 1.0.2 library to 1.1 and
> have run across a situation that I am struggling to reconcile:
>
> The existing code utilizes the verify_callback() function in order to
> perform validation mea
I am in the process of migrating our code from the 1.0.2 library to 1.1 and
have run across a situation that I am struggling to reconcile:
The existing code utilizes the verify_callback() function in order to
perform validation measures against a peer certificate. This callback
performs
I don't specifically know the behavior of the code, so I have no means of
answering your question directly.
That said, it would certainly work if you stored a copy of the certificate
during your VerifyCallback(), and compared with the version you copied out
yourself. You might wish to balance thi
The same question in much more specific terms:
int VerifyCallback(X509_STORE_CTX *store_ctx, void *arg)
Is the certificate stored in store_ctx the *new* one that the peer sends
in case of *renegotiation*?
Is the certificate stored in the SSL struct (obtained via
SSL_get_peer_certificate()) t
Hello list,
I'm using SSL_CTX_set_cert_verify_callback(empty_callback) to bypass all
certificate chain walking and validation. I extract and validate the RSA
key *after* handshake and verify only that.
However I believe this callback can be called arbitrary times after
initial handshake, in
One question about custom certificate checks:
I have written a custom "verify_callback" function
which returns true always. That is, I accept any
certificate chain.
Also I use:
ctx.set_verify(SSL.verify_peer |
SSL.verify_fail_if_no_peer_cert, depth=9,
callback=verify_callback)
opti
Hi,
In my ssl client program I set
SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
verify_callback);
During handshake, Server sends a self-signed certificate to the Client.
Clients verify_callback gets called two times. My verify_callback must
prompt the user to
On Mon, Mar 11, 2002 at 09:18:08AM +0100, Joerg Bartholdt wrote:
> Dr S N Henson wrote:
>
> >Joerg Bartholdt wrote:
> >
> >>Hi *,
> >>
> >>During the SSL Handshake, OpenSSL can call a verify_callback
> >>that can manipulate the outcome of
Dr S N Henson wrote:
>Joerg Bartholdt wrote:
>
>>Hi *,
>>
>>During the SSL Handshake, OpenSSL can call a verify_callback
>>that can manipulate the outcome of the certificate verification
>>process.
>>If I use some longterm evaluation like an OCSP-Re
Joerg Bartholdt wrote:
>
> Hi *,
>
> During the SSL Handshake, OpenSSL can call a verify_callback
> that can manipulate the outcome of the certificate verification
> process.
> If I use some longterm evaluation like an OCSP-Request, my single
> threaded application is
On Fri, Mar 08, 2002 at 09:42:42AM +0100, Joerg Bartholdt wrote:
> During the SSL Handshake, OpenSSL can call a verify_callback
> that can manipulate the outcome of the certificate verification
> process.
> If I use some longterm evaluation like an OCSP-Request, my single
> threa
Hi *,
During the SSL Handshake, OpenSSL can call a verify_callback
that can manipulate the outcome of the certificate verification
process.
If I use some longterm evaluation like an OCSP-Request, my single
threaded application is blocked during this time. I cannot return
a value like "I
Hi *,
when using a single threaded application, I can use Async IO even
with OpenSSL to cope with many concurrent connections (using select()).
Unfortunately, if I use a verify_callback for doing checking on
the certificates of my peer, I _have to_ generate a decision immediately
if I do not
On Wed, Nov 21, 2001 at 06:17:21PM +0530, Krishnaswamy R. wrote:
> Iam using a certificate verification callback function as follows
>
> SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, cert_verify_cb);
>
> In the callback function, in addition to the standard certificate
> verification done by Open
Hi all,
Iam using a certificate verification callback function as follows
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, cert_verify_cb);
In the callback function, in addition to the standard certificate
verification done by OpenSSL, i need to check the subject-name
of the peer certificate.
Since
ipe Contente wrote:
> > > Hi everybody!
> > >
> > > what does a verify_callback method should do??
> >
> > http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
The requirements of the verify_callback routine are explained in this
manual page. It even contain
You have sent it to me before,
and it didn't help...
may you try to answer my questions???
thanks
Lutz Jaenicke wrote:
>
> On Mon, Mar 19, 2001 at 06:41:31PM +, Filipe Contente wrote:
> > Hi everybody!
> >
> > what does a verify_callback method should do?
On Mon, Mar 19, 2001 at 06:41:31PM +, Filipe Contente wrote:
> Hi everybody!
>
> what does a verify_callback method should do??
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
> i'm trying to get client certificate , but im with a few troubles.
> the ssl->s
s still consistent. We have a CURRENT_CERT, failure is flagged,
so now we can use the verify_callback to get the certificate currently
being checked, the preverify_ok value (the certificate did no pass) and
can access the reason for the verification failure. The verify_callback
can now evaluate the verificati
First of all thank you Lutz for your help.
> The result at depth 0 says, that the certificate at level 0 is
consistently
> signed from its CA. The CA itself (at level 1) however failed verification
> for several reasons.
> The preverify_ok state only indicates whether the certificate at the
> act
On Tue, Oct 31, 2000 at 05:34:24PM +0100, Thomas Geller wrote:
> At this time I'm ignoring all errors in then VerifyCallback and only proof
> then string of the company name in the peer certificate.
> This is not not satisfying for me. On depth 0 OpenSSL passes a value of 1
> for the preverify_ok
I think this issue is discussed many times here but not totally satisfying
for my case.
I'm a open ssl beginner and may be there is a little help out there.
I'm implementing a SSL client in delphi with client authentification. My
problem is to verifing then SSL server.
I've read the manual page a
Lutz Jaenicke wrote:> several weeks. If you are ever in the Boston Area, I owe you a
beer (we
> > have some decent American beers around here :)
> I don't have any special plans to come to the Boston area, but I will remember
> your words. (And be aware that the german type of invitation is mor
On Thu, Oct 19, 2000 at 04:35:04PM -0400, Louis LeBlanc wrote:
> Ok, I think I get it now. The depth strictly relates to how many
> 'signings' you are removed from a root cert. I don't want to accept
> anything signed by someone who is also signed by a root cert, so I set
> my depth at 1. If I
n
> > read like this:
>
> The certificate is checked at all depth levels it contains. The culprit
> is to check out the "ok" value handed to the verify_callback.
> Since last week there is a manual page available:
> http://www.openssl.org/docs/ssl/SSL_
of course, is 1. So shouldn't that comparison
> read like this:
The certificate is checked at all depth levels it contains. The culprit
is to check out the "ok" value handed to the verify_callback.
Since last week there is a manual page available:
http://www.openssl.org/docs/ssl/SSL_CT
I am a bit confused. My verify_callback() routine does not seem to do
what it is supposed to.
Here is what I want: If a server presents a cert that is not signed by
one of my 'trusted' CAs, I don't want to connect. Period. As it is
now, it seems to log a message, then
in multhread program, everify thread has a client certificate
verify_callback, in the verify_callback function,I need to tell the thread
the err info, how can I know this verify_callback function belong to which
thread?
thanks
38 matches
Mail list logo
