Joerg Bartholdt wrote: > > Hi *, > > During the SSL Handshake, OpenSSL can call a verify_callback > that can manipulate the outcome of the certificate verification > process. > If I use some longterm evaluation like an OCSP-Request, my single > threaded application is blocked during this time. I cannot return > a value like "I don't know yet, ask later" - I have to have the > decision before I return from the callback. > So, there is no change for handling other connections (I usually use > select() and async IO to handle multiple connection which OpenSSL > can do pretty well in all other states...) during that time. > > Does anybody have a solution? > Thanks in advance, >
I'm not sure this has ever been tested but it looks like you can handle this by returning -1 from the verify callback instead of the normal 1=success or 0=failure. There's some code in place that handles this in a manner analagous to other non-blocking operations using a special condition SSL_ERROR_WANT_X509_LOOKUP. Performance is likely to be rather poor managing all connections in one thread because some operations are relatively slow such as private key functions which will occur during the initial handshake. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
