[openssl-users] Regarding SSL_VERIFY_PEER

Michael Wojcik Michael.Wojcik at microfocus.com
Wed May 3 16:27:34 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Wednesday, May 03, 2017 06:40
> For the full verification process see:
> https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a
> 819bbeffb2/crypto/x509/x509_vfy.c#L208

I haven't looked at x509_vfy.c in 1.1.0, but in the 1.0.x code it's fairly involved. When I implemented custom chain validation for a product, I stepped through the code under the debugger for a handful of different cases, to get a better idea of what it was doing. I recommend the exercise for anyone who wants to intervene in OpenSSL's chain validation.

My custom validation code uses the OpenSSL validation callback, making some additional checks and allowing some exceptions, based on application configuration. I assume John is doing something similar, and not trying to implement chain validation from scratch. I definitely wouldn't recommend that, given the Byzantine complexity of X.509v3 PKI, unless you really must (e.g. because you want a non-hierarchical PKI topology).

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list