[openssl-users] SSL_CTX_set_verify() callback and current depth

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Oct 21 15:34:16 UTC 2015

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Paul Lucas
> Sent: Tuesday, October 20, 2015 19:08
> I'm writing my own callback function in C for SSL_CTX_set_verify() to perform
> additional certificate checks (when the preverify_ok parameter is 1).
> However, I want to perform the checks only for the leaf certificate (depth =
> 0).
> There is the function X509_STORE_CTX_get_error_depth() that gets the
> depth of the error; but I want the current depth even when there is no error
> so I can perform my additional checks only when depth=0. (Note that the
> function SSL_CTX_get_verify_depth() returns the depth limit and not the
> current depth.)
> Is there any way to do what I want?

I thought get_error_depth returned the current depth even when there is no "error". The preverifyOk parameter tells the callback whether OpenSSL thinks there's a problem; the callback is invoked regardless, for each certificate in the chain, and get_error_depth should tell you what the depth is on each call, even if preverifyOk is true (nonzero).

A quick browse through x509_vfy.c (for 1.0.1p) suggests that ctx->error_depth, which is what get_error_depth returns, is always set before calling the callback.

Michael Wojcik
Technology Specialist, Micro Focus

More information about the openssl-users mailing list