Just to add to the confusion, is the callback only called when
SSL_CTX_set_verify() fails a cert verification, or is it called even on a
successful cert verification?
I looked at the code in ssl/ssl_cert.c, and it looks like the callback in
ssl_verify_cert_chain() is called regardless of the actual verification
results. However, it doesn't look like this is where the cert verification
takes place in my case. This routine accesses the
s->ctx->app_verify_callback value, while the SSL_CTX_set_verify() call sets
the ctx->default_verify_callback, and SSL_new sets
s->verify_callback=ctx->default_verify_callback.
A search through the entire codebase for "->verify_callback" reveals only
the SSL_set*() and SSL_get*() routines in ssl/ssl_lib.c (the SSL_CTX_set*()
and SSL_CTX_get*() calls set ->default_verify_callback). So who knows how
the callback actually occurs?
I also checked the X509_V_ERR_* error definitions
(crypto/x509/x509_vfy.h). I found nothing that indicated a cert/hostname
mismatch. Do you have to check this the old fashioned way, or is there a
way to extract this info if that is what caused the failure? I would think
the latter, but I can't find it. There did not appear to be any such error
definitions in crypto/x509v3 so I assume the x509v3 stuff still relies on
the old x509 stuff.
Any way, I guess I added quite a few questions to my previous query. I am
pretty sure I made adequate attempts to find the answers myself, so either
the info is not readily available or (more probably) I just don't know what
to look for.
Any and all help is appreciated.
TIA
Lou
Louis LeBlanc wrote:
> Hello, All.
> In my attempts to learn more about the certificate verification process,
> I have been looking at the apps/* code, the manpages, and the release
> docs - not to mention the OpenSSL site. The closest thing I have found
> to any documentation on the SSL_CTX_set_verify_depth() routine is the
> following, taken from the CHANGES file in the 0.9.6 distribution:
>
> *) Support verify_depth from the SSL API.
> x509_vfy.c had what can be considered an off-by-one-error:
> Its depth (which was not part of the external interface)
> was actually counting the number of certificates in a chain;
> now it really counts the depth.
> [Bodo Moeller]
>
> This doesn't really tell you what it is supposed to do. Of course that
> isn't what a CHANGES file is for either. :)
>
> As I understand it, the verify depth associated with an SSL connection
> specifies the number of steps taken before verification can succeed.
> Any failures along the way causes a verification failure. The callback
> routine specified in the SSL_CTX_set_verify() call (or SSL_set_verify()
> for a specific connection) is required to get specific information about
> why the verification failed.
>
> I wonder if there is any info regarding the specifics of the verify
> depth, and is the call to SSL_CTX_set_verify_depth() even necessary? If
> not, what is being sacrificed, if anything? What are the possible
> values? etc. If there is documentation that spells these things out, I
> have been unable to find it, so please feel free to just point me to it.
>
> Searches on the list archives for SSL_CTX_set_verify_depth,
> set_verify_depth, and verify_depth, have not produced any messages that
> deal with this call specifically.
>
> TIA
> Lou
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
