<div dir="ltr"><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">Hello,</div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">I have a question regarding openssl and verification of client certificates.  Is there a way to have an openssl-enabled server ask for a client certificate, and when it receives one it can't verify, rather than immediately terminating the handshake, it would allow the connection, but pass some context about the failed verification to the calling application?</div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">It appears that what I want is not possible from the SSL_VERIFY_* options presented here:</div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><a href="https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html#NOTES" target="_blank" style="color:rgb(17,85,204)">https://www.openssl.org/docs/<wbr>man1.1.1/man3/SSL_CTX_set_<wbr>verify_depth.html#NOTES</a></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">My use case is to opportunistically allow connections from VoIP devices, whether or not the clients have certificates I can verify.  Suppose I use the term "blue check" as an internal measure of client trustworthiness/provenance.</div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">1) If the client presents a certificate that I can verify, I want to build some context that gives this client a "blue check".</div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">2) If the client presents a certificate that I can't verify, I want to still allow it to connect, but not have a "blue check" associated with that client.</div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">3) If the client doesn't present a certificate, I want to still allow it to connect, but, as in (2), not have a "blue check"</div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">It seems that the openssl library and documented behavior is artificially limiting me to only allow (1) and (3).  I would like to support scenario (2) as well.<br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">Is the existing behavior intentional, or am I out in left-field with this request?  If the latter, would you consider a patch to implement the behavior in (2), perhaps as an additional param, e.g. SSL_VERIFY_DONTFAIL?  Additionally, it would be great if I could still get some information about the cert presented by the unverifiable client from within my application as well.</div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">Thanks!</div><br><div>Armen</div></div>