[openssl-users] X509_verify_cert cannot be called twice

DEXTER mydexterid at gmail.com
Thu Mar 24 18:02:27 UTC 2016


So let me get this straight.
If someone had a software where they called X509_verify_cert from
SSL_CTX_set_cert_verify_callback callback twice (to verify first with
crls, and maybe verify again without crls) and it worked as expected,
after this patch their software is broken.

Am I right?

And there is no solution to this after the patch for 1.0.[12]

Am I right?

On 2016.03.24. 16:17, Viktor Dukhovni wrote:
> 
>> On Mar 24, 2016, at 4:21 AM, DEXTER <mydexterid at gmail.com> wrote:
>>
>> So this patch:
>> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0
>>
>> magically made itself into ubuntu trusty's version of openssl in a
>> security update.
>>
>> My question is:
>>
>> What is the recommended way now to call X509_verify_cert twice or
>> unlimited times from SSL_CTX_set_cert_verify_callback callback.
>> (This is where the ctx is already initialized by openssl and not by the user)
> 
> I'm afraid multiple calls are not supported.
> I'll consider updating the 1.1.0 code to make that possible,
> but that won't help you with 1.0.[12]...
> 


More information about the openssl-users mailing list