[openssl-dev] [openssl.org #4602] Missing accessors
Richard Levitte
levitte at openssl.org
Mon Jul 25 16:21:32 UTC 2016
In message <rt-4.0.19-13376-1469461907-1144.4602-6-0 at openssl.org> on Mon, 25 Jul 2016 15:51:47 +0000, "msalle at nikhef.nl via RT" <rt at openssl.org> said:
rt> On Mon, Jul 25, 2016 at 01:44:18PM +0000, Salz, Rich via RT wrote:
rt> > I am not sure what to suggest. This conversation is bouncing across
rt> > two ticket systems and is all about a legacy certificate format that
rt> > is, what, outdated since 2002?
rt> > I am hard-pressed to see why OpenSSL 1.1 has to do anything other than
rt> > what Richard proposed.
rt>
rt> The two ticket systems is indeed annoying and I don't know what to do
rt> about that (I did not start this thread) other than removing one of
rt> them.
One way is to exclude rt at openssl.org from your list of recipients ;-)
(I just did, btw)
I'm also taking away 829272 at bugs.debian.org
rt> The point is that if OpenSSL is providing a verification callback which
rt> can be used to provide a custom verification of the cert chain, then it
rt> should provide the necessary handles and the thing still missing from
rt> what Richard proposed is a way to point to the failing certificate in
rt> the chain. We can set the error, but not at which depth in the chain the
rt> error occurred.
rt> This in itself is not limited to our use-case but is a general API
rt> request.
Just for clarity, when I talk about the verification callback, I'm
talking about verify_cb, settable with X509_STORE_CTX_set_verify_cb()
If you're talking about something else, please correct me.
By design, verify_cb is called for *each* certificate in the chain,
and to allow the verification result for that certificate alone to be
customized.
current_cert, current_issuer, etc are meant as input for verify_cb,
indicating which certificate in the chain the call of the callback is
about. Why one would need to tamper with them from inside the
verify_cb function escapes me...
Cheers,
Richard
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-dev
mailing list