[openssl-users] X509_verify_cert cannot be called twice

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Mon Mar 28 17:24:35 UTC 2016

On 3/25/16, 17:17 , "openssl-users on behalf of Viktor Dukhovni"
<openssl-users-bounces at openssl.org on behalf of
openssl-users at dukhovni.org> wrote:

>>If I ask “is your passport valid”, I expect to be able to repeat this
>> question and (as long as this all is within a reasonably short time) get
>> exactly the same answer.
>The result of X509_verify_cert() is not just a single error value...
>Whatever is motivating the desire to call X509_verify_cert() twice
>is likely some deficiency (whether actual or perceived) in the
>current functionality, and we should probably address the underlying
>problem and the not the superficial symptoms.

I cannot comment or criticize here, because I’m not at that point (yet?).
I’m not using this functionality now, and when I do I’ll probably account
for this bit of wisdom (using the correct call sequence).

>If you're doing this in the context of SSL, the SSL layer configures
>the X509_STORE_CTX with various parameters beyond just
>X509_STORE_CTX_init(), and using your own fresh context will not
>work well.

Most likely, when I do need to use this it wouldn’t be in the context of
SSL. But I will remember this (not to use my own fresh context when using
SSL) too. ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4324 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160328/cd5326ac/attachment.bin>

More information about the openssl-users mailing list