[openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates
armen.babikyan at gmail.com
Tue Sep 11 06:25:27 UTC 2018
I realized that something like this could be an option a few minutes after
I hit "send". Thanks for the confirmation - I'll give this a shot!
On Mon, Sep 10, 2018 at 11:19 PM, Viktor Dukhovni <
openssl-users at dukhovni.org> wrote:
> > On Sep 11, 2018, at 2:09 AM, Armen Babikyan <armen.babikyan at gmail.com>
> > I have a question regarding openssl and verification of client
> certificates. Is there a way to have an openssl-enabled server ask for a
> client certificate, and when it receives one it can't verify, rather than
> immediately terminating the handshake, it would allow the connection, but
> pass some context about the failed verification to the calling application?
> > It appears that what I want is not possible from the SSL_VERIFY_*
> options presented here:
> Actually, SSL_VERIFY_PEER is the right choice, but you also need a
> non-null verification callback that continues (by returning 1)
> despite failures to verify the client certificate.
> You can check the verification status at the completion of the
> handshake via SSL_get_verify_result(3).
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users