On Tue, Nov 16, 1999, Bodo Moeller wrote:
> On Sun, Aug 08, 1999 at 03:05:26PM +0000, Bodo Moeller wrote:
> > Claus Assmann <[EMAIL PROTECTED]>:
> >> how do I correctly set the verify_mode? Reading the code,
> >> SSL_VERIFY_CLIENT_ONCE and SSL_VERIFY_PEER seem to be useful for
> >> my purpose (try to verify the client, but don't fail).
> Unfortunately it turns out this advice was wrong because the value
> stored in ctx.error is not restored when a session is resumed -- it
> will contain X509_V_OK regardless of whether the peer's certificate
> could be verified or not. The next snapshot should fix this problem.
> To remove the security holes in my example code, add an #if as below
> (and don't use stale OpenSSL snapshot versions that pass the #if test
> but don't avoid the problem).
Thanks for the notification. A related question:
If the callback always returns 1, does
SSL_get_verify_result()
nevertheless return the correct value?
i.e., X509_V_OK iff the certificate could be verified?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
