On Fri, Mar 08, 2002 at 09:42:42AM +0100, Joerg Bartholdt wrote:
> During the SSL Handshake, OpenSSL can call a verify_callback
> that can manipulate the outcome of the certificate verification
> process.
> If I use some longterm evaluation like an OCSP-Request, my single
> threaded application is blocked during this time. I cannot return
> a value like "I don't know yet, ask later" - I have to have the
> decision before I return from the callback.
> So, there is no change for handling other connections (I usually use
> select() and async IO to handle multiple connection which OpenSSL
> can do pretty well in all other states...) during that time.
>
> Does anybody have a solution?
Hmm, hmm. Sounds like this case has not been prepared. When asking the
user for a client certificate, the case seems to be prepared
(look for SSL_X509_LOOKUP in s3_clnt.c). However: as far as I understand,
OCSP has only been introduced after the verify_callback() thing was
invented, so the case you describe has not been covered.
I think it would be possible to enhance libssl to also handle this
case, but it would require quite some rewrite of the mechanism...
> P.S.: I thought I had send this email a couple of days ago already,
> but it did not show up - so I assume, I didn't :-(
I remember reading about it, but I also remember not having an answer
at that time.
Good luck,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
