[openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 11 06:19:42 UTC 2018

> On Sep 11, 2018, at 2:09 AM, Armen Babikyan <armen.babikyan at gmail.com> wrote:
> I have a question regarding openssl and verification of client certificates.  Is there a way to have an openssl-enabled server ask for a client certificate, and when it receives one it can't verify, rather than immediately terminating the handshake, it would allow the connection, but pass some context about the failed verification to the calling application?


> It appears that what I want is not possible from the SSL_VERIFY_* options presented here:

Actually, SSL_VERIFY_PEER is the right choice, but you also need a
non-null verification callback that continues (by returning 1)
despite failures to verify the client certificate.

You can check the verification status at the completion of the
handshake via SSL_get_verify_result(3).


More information about the openssl-users mailing list