<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><!--ppd154--><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You can use X509_STORE_CTX_get_app_data() and type-cast the returned pointer to SSL*.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><br /><br /><SPAN id="ppe_154">
<TABLE
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 8pt; BORDER-TOP: medium none; BORDER-RIGHT: medium none"
border=0 cellSpacing=0 cellPadding=0 width=386>
<TBODY>
<TR>
<TD
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0px; PADDING-LEFT: 0pt; PADDING-RIGHT: 0pt; BORDER-TOP: medium none; BORDER-RIGHT: #6f9ac5 2.5pt solid; PADDING-TOP: 0px"
vAlign=top width=370>
<P style="MARGIN: 0px"><SPAN
style="DISPLAY: block; COLOR: #6f9ac5; FONT-SIZE: 9pt">Ryan Pfeifle<BR></SPAN><SPAN
style="DISPLAY: block; COLOR: #4f4f4f">Software Engineer<BR></SPAN><SPAN
style="PADDING-BOTTOM: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: block; COLOR: #4f4f4f; FONT-SIZE: 9pt; PADDING-TOP: 10px"> <BR><A
title=www.NICE.com href="http://www.NICE.com"><IMG
style="MARGIN: 5px 0px 0px" border=0
src="cid:2cada4cd821843daa7153d792a28ea74"
width=100 height=39></A></SPAN><BR><A title=www.NICE.com
href="http://www.NICE.com"><SPAN
style="DISPLAY: block; COLOR: #6f9ac5; FONT-SIZE: 8pt">VPI is now part of
NICE</A><BR></SPAN><SPAN
style="PADDING-BOTTOM: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: block; COLOR: #4f4f4f; FONT-SIZE: 9pt; PADDING-TOP: 10px"></FONT></SPAN></P></TD>
<TD
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 8pt; PADDING-RIGHT: 0pt; BORDER-TOP: medium none; BORDER-RIGHT: medium none; PADDING-TOP: 0in"
vAlign=top width=700>
<P style="MARGIN: 0px"><SPAN
style="DISPLAY: block; COLOR: rgb(75,75,75); FONT-SIZE: 8pt">Tel:
1.805.389.5200 x5297<BR></SPAN><BR><SPAN
style="DISPLAY: block; COLOR: rgb(75,75,75); FONT-SIZE: 8pt"><BR></SPAN><SPAN
style="DISPLAY: block; COLOR: rgb(75,75,75); FONT-SIZE: 8pt">E-mail:
Ryan.Pfeifle@nice.com</SPAN><BR><SPAN
style="DISPLAY: block; COLOR: rgb(75,75,75); FONT-SIZE: 8pt"></SPAN><SPAN
style="DISPLAY: block; COLOR: rgb(75,75,75); FONT-SIZE: 8pt"><BR><A
href="http://www.nice.com/Interactions"></A> </SPAN></P></TD></TR></TBODY></TABLE>
<TABLE
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; FONT-FAMILY: Arial, Helvetica, sans-serif; COLOR: #aaaaaa; FONT-SIZE: 7pt; BORDER-TOP: medium none; BORDER-RIGHT: medium none; PADDING-TOP: 10px"
border=0 cellSpacing=0 cellPadding=0 width=383>
<TBODY>
<TR>
<TD
style="PADDING-BOTTOM: 0px; PADDING-LEFT: 5pt; PADDING-RIGHT: 5pt; PADDING-TOP: 0px"
vAlign=top colSpan=2> </TD></TR>
<TR>
<TD
style="PADDING-BOTTOM: 0px; PADDING-LEFT: 0pt; PADDING-RIGHT: 0pt; PADDING-TOP: 0px"
vAlign=top width="100%" colSpan=2 align=left>
<P style="MARGIN: 0px" align=justify>The information transmitted in this
message is intended only for the addressee and may contain confidential
and/or privileged material. If you received this in error, please contact
the sender and delete this material from any
computer.</P></TD></TR></TBODY></TABLE></SPAN>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> openssl-users [mailto:openssl-users-bounces@openssl.org] <b>On Behalf Of </b>Lei Kong<br><b>Sent:</b> Thursday, October 27, 2016 11:54 AM<br><b>To:</b> openssl-users@openssl.org<br><b>Subject:</b> Re: [openssl-users] SSL_set_verify with a context?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div id=divtagdefaultwrapper><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:black'>I am using the following link ssl to my container structure, so is it possible to get ssl from x509_ctx in verify_callback?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:black'> SSL_set_app_data(ssl, this);<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:black'> int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p></div><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="98%" align=center></div><div id=divRplyFwdMsg><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'> Lei Kong <<a href="mailto:leikong@msn.com">leikong@msn.com</a>><br><b>Sent:</b> Thursday, October 27, 2016 1:24:05 AM<br><b>To:</b> <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br><b>Subject:</b> SSL_set_verify with a context?</span> <o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div id=divtagdefaultwrapper><p><span style='font-family:"Calibri","sans-serif";color:black'>What I am trying to achieve is to allow some minor certificate chain validation errors, e.g. "CRL unavailable", based on my per-session configuration. I am think of using my verify callback to record the errors.<o:p></o:p></span></p><div><div><div id=divtagdefaultwrapper><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:black'>void SSL_set_verify(SSL *s, int mode, int (*verify_callback)(int, X509_STORE_CTX *));<o:p></o:p></span></p></div><p><span style='font-family:"Calibri","sans-serif";color:black'>int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);<o:p></o:p></span></p><p><span style='font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p><span style='font-family:"Calibri","sans-serif";color:black'>Given the above interfaces, it seems I cannot set the callback with a context, which is needed to link a callback instance to my SSL session for error tracking. Yes, I can use SSL_get_verify_result to get the error afterwards, but is it guaranteed that the most severe error is always returned by SSL_get_verify_result? For example, I don't want "unable to get CRL" to mask other more important errors.<o:p></o:p></span></p><p><span style='font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p><span style='font-family:"Calibri","sans-serif";color:black'>I would rather avoid repeating validating the whole chain manually after default validation is completed, is it possible to achieve my goal without repeating chain validation manually?<o:p></o:p></span></p><p><span style='font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p><span style='font-family:"Calibri","sans-serif";color:black'>Any comment will be appreciated.<o:p></o:p></span></p></div></div></div></div></div></div></body></html>