OCSP verification in a non-blocking environment

Detlef Vollmann dv at vollmann.ch
Thu Mar 18 20:07:20 UTC 2021


I have a non-blocking DTLS server and use SSL_VERIFY_PEER.
Now I'd like to use the verify_callback that I set with
SSL_CTX_set_verify() to check via OCSP for revocation.
This works fine in a simple blocking test program, where
I can just wait for the OCSP reply and then return 0 or 1
from my verify_callback function dependent on this reply.

But in a non-blocking program I can't wait for the OCSP reply,
but I also can't return -1 from my verify_callback function
to tell the handshake code to call the callback again.

Am I right that I can only do a non-blocking OCSP check after
the handshake has finished?

   Detlef


More information about the openssl-users mailing list