You need to do the SSL_CTX_set_verify() *before* you do the SSL_new(). The
SSL * sort of inherits all of the settings from the parent SSL_CTX *, kind
of like a fork(). If you need to customize a setting for a particular SSL
session, you do this to the SSL * object.
_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________
----- Original Message -----
From: "Hegde, Ramdas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 22, 2001 6:10 PM
Subject: Strange behaviour with SSL_CTX_set_verify
> After I do the SSL initialization, I do the following in my server code.
> while(1){
> if((s=accept(sock,0,0))<0)
> err_exit("Problem accepting");
>
> sbio=BIO_new_socket(s,BIO_NOCLOSE);
> ssl=SSL_new(ctx);
> SSL_set_bio(ssl,sbio,sbio);
>
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
> if((r=SSL_accept(ssl)<=0))
> err_exit("SSL accept error");
>
> peer = SSL_get_peer_certificate(ssl);
> if (peer == NULL) {
> printf("Null presented by peer \n");
> }
>
> The first time the client connects and does the SSL handhshake, when the
> server makes a request for a client certificate, it gets a NULL. But on
> subsequent calls from the client, the server is able to get the client
> certificate.
> What could be going wrong the first time this happens?
> If I make it SSL_set_verify() instead of SSL_CTX_set_verify(), the server
> gets the peer certificate but the callback function is not called.
> I am confused as to why this is happening and would appreciate any ideas
to
> solving this problem.
>
> Thanks
>
> Ramdas
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
