Peer certificate verification in verify_callback
Jeremy Harris
jgh at wizmail.org
Mon Mar 30 16:29:16 UTC 2020
On 30/03/2020 17:01, Jason Schultz wrote:
> For example, if my client application is presented a self-signed certificate in the handshake, verify_callback() is called with an error, for which X509_STORE_CTX_get_error() returns 18/X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. In this case, my application searches its trusted store for this certificate, and if it finds a match, the error is cleared and the handshake is allow to proceed.
If you don't care that the cert is verifiable, tell OpenSSL that before
connection?
SSL_CTX_set_verify !SSL_VERIFY_FAIL_IF_NO_PEER_CERT
> Other examples are cases where my client application is presented with a certificate chain. Let’s say the chain looks like root -> intermediate -> end-entity, but the server is configured to not send the root, so my client gets: intermediate -> end-entity in the handshake.
>
>
>
> One case is where my client is presented these certificates and has the end-entity certificate in its trusted store. In this case, the verify_callback() gets error 20/ X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. For this error, my application will search its trusted store for the end-entity certificate, and when a match is found the error is cleared and the handshake is allowed to proceed.
Tell OpenSSL the root(s) you trust before connecting
--
Cheers,
Jeremy
More information about the openssl-users
mailing list