[openssl-users] SSL_set_verify with a context?

Lei Kong leikong at msn.com
Thu Oct 27 08:24:05 UTC 2016

What I am trying to achieve is to allow some minor certificate chain validation errors, e.g. "CRL unavailable", based on my per-session configuration. I am think of using my verify callback to record the errors.

void SSL_set_verify(SSL *s, int mode, int (*verify_callback)(int, X509_STORE_CTX *));

int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);

Given the above interfaces, it seems I cannot set the callback with a context, which is needed to link a callback instance to my SSL session for error tracking. Yes, I can use SSL_get_verify_result to get the error afterwards, but is it guaranteed that the most severe error is always returned by SSL_get_verify_result? For example, I don't want "unable to get CRL" to mask other more important errors.

I would rather avoid repeating validating the whole chain manually after default validation is completed, is it possible to achieve my goal without repeating chain validation manually?

Any comment will be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161027/c7753865/attachment.html>

More information about the openssl-users mailing list