[openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

Armen Babikyan armen.babikyan at gmail.com
Tue Sep 11 06:25:27 UTC 2018


Hi Viktor,

I realized that something like this could be an option a few minutes after
I hit "send".  Thanks for the confirmation - I'll give this a shot!

Many thanks!

Armen


On Mon, Sep 10, 2018 at 11:19 PM, Viktor Dukhovni <
openssl-users at dukhovni.org> wrote:

>
>
> > On Sep 11, 2018, at 2:09 AM, Armen Babikyan <armen.babikyan at gmail.com>
> wrote:
> >
> > I have a question regarding openssl and verification of client
> certificates.  Is there a way to have an openssl-enabled server ask for a
> client certificate, and when it receives one it can't verify, rather than
> immediately terminating the handshake, it would allow the connection, but
> pass some context about the failed verification to the calling application?
>
> Yes.
>
> > It appears that what I want is not possible from the SSL_VERIFY_*
> options presented here:
>
> Actually, SSL_VERIFY_PEER is the right choice, but you also need a
> non-null verification callback that continues (by returning 1)
> despite failures to verify the client certificate.
>
> You can check the verification status at the completion of the
> handshake via SSL_get_verify_result(3).
>
> --
>         Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180910/9709ad92/attachment.html>


More information about the openssl-users mailing list