Question about examples in openssl doc X509_STORE_CTX_verify_cb

Viktor Dukhovni openssl-users at dukhovni.org
Mon Mar 14 19:27:59 UTC 2022


On Mon, Mar 14, 2022 at 11:25:51AM -0700, Edward Tsang via openssl-users wrote:

> https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
> 
> I am trying to figure out how this example works but it does not seem to
> bypass the (use the second example of  X509_V_ERR_CERT_HAS_EXPIRED)
> 
> However the caller code 
> long res = SSL_get_verify_result( sslCtx ); still reports res NOT as
> X509_V_OK, which it should be oper the example since it is returning as 1.

This is correct and expected.  Returning "ok = 1" from the verify
callback allows the handshake to continue, rather than be aborted,
but it does not and should not mark the certificate as verified.

> I don't think I need to use X509_STORE_CTX_set_error(ctx, X509_V_OK);
> before return 1 in the X509_STORE_CTX_verify_cb example.
> Or am I missing something?

You're missing something.  It is best to not suppress the error code,
since this will also mean that resumed sessions are unaware of the
error, ... Rather if you want to tolerate expired certificates record
and admit that error both in the callback and after the handshake.

-- 
    Viktor.


More information about the openssl-users mailing list