[openssl-users] X509_verify_cert cannot be called twice

Viktor Dukhovni openssl-users at dukhovni.org
Thu Mar 24 18:12:49 UTC 2016


> On Mar 24, 2016, at 2:02 PM, DEXTER <mydexterid at gmail.com> wrote:
> 
> So let me get this straight.
> If someone had a software where they called X509_verify_cert from
> SSL_CTX_set_cert_verify_callback callback twice (to verify first with
> crls, and maybe verify again without crls) and it worked as expected,
> after this patch their software is broken.

If they re-used the same X509_STORE_CTX, yes their software depended
on undefined and likely insecure behaviour.  "Worked as expected" is
likely more along the lines of "did not appear to fail".  Verification
is not only expected to succeed for valid chains, but is also expected
to reliably fail for invalid chains.

-- 
	Viktor.



More information about the openssl-users mailing list