Peer certificate verification in verify_callback

Viktor Dukhovni openssl-users at dukhovni.org
Mon Mar 30 18:17:23 UTC 2020


On Thu, Mar 05, 2020 at 02:04:27PM +0000, Jason Schultz wrote:

> I have some questions about my application’s verify_callback() function and how I handle some of the OpenSSL errors.

You're going about this the wrong way.  Instead of tryign (likely
insecurely) to patch up verification errors in a verify callback, if you
have a certificate store that is not directly supported by OpenSSL, you
need to implement your own custom X509_STORE type, associate that store
with the SSL_CTX and have OpenSSL's built-in certificate verification
search that store for you.

If you also want to directly trust intermediate certificates that are
not self-signed roots, you can either set the "partial chain" flag,
or load into your store intermediate certificates with auxiliary
trust settings (aka "TRUSTED CERTIFICATES"), which will then be
trusted without chaining to a root, but simpler to just add the
roots to the store.

-- 
    Viktor.


More information about the openssl-users mailing list