Reconstructing X509_STORE_CTX from SSL object

Akshath Hegde arhsagar at
Tue Mar 21 13:37:42 UTC 2023

I was facing a problem when adding OCSP verification to existing TLS cert
verification mechanism.
We register a callback of the form
int ocsp_status_response_cb(SSL *, void *) via

My intention is to call the certificate verification function callback as a
normal function inside the OCSP callback (the reason why this is done is
due to a separate issue with callback ordering)
The certificate verification function is set through
SSL_CTX_set_cert_verify_cb(), and the callback is of the form
int (*cert_verify_cb) (X509_STORE_CTX *, void *)

So to be able to call this inside the OCSP callback, I'd need to
reconstruct the
X509_STORE_CTX argument. I'm not very familiar with openssl internals, so
forgive me if this is silly.
1)Is it conceptually right to do so?
2)Is it possible to construct x509_store_ctx from ssl?
3)I could extract the peer cert chain from SSL through
SSL_get_peer_cert_stack() and create a x509_store_ctx. But this wouldn't be
identical to how it's created originally and might lack information. If
it's correct to do so and possible, what's the right method to create it?

Do you see any alternative to overall approach?
(For the original problem, please have a look at thread named "Stapled OCSP

Any leads would be helpful

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list