Callback functions higher up in the stack than X509_STORE_set_verify_cb?

Viktor Dukhovni openssl-users at
Tue Aug 4 15:24:31 UTC 2020

On Tue, Aug 04, 2020 at 10:25:44AM +0200, Ander Juaristi wrote:

> /* Check the OCSP response here */
> ocsp_stap_length = SSL_get_tlsext_status_ocsp_resp(ssl, &ocsp_resp);
> certs = SSL_get_peer_cert_chain(ssl);

Side comment, if you end up sticking with post-handshake validation you
probably want: SSL_get0_verified_chain(3) rather than

A better early hook into SSL cert chain verification is:


which you can you use to wrap X509_verify_cert(3) and do some
post-processing after the verified chain is constructed.  But
this likely fires before the OCSP extension from the server
is processed.

> I was wondering if a hook point exists that would allow me to do this 
> just before ChangeCipherSpec is sent by the client,
> as, at that point, all the information should already be available.

You're looking for: SSL_CTX_set_tlsext_status_cb(3).


More information about the openssl-users mailing list