On Tue, Jul 16, 2002 at 11:28:32AM -0400, Kervin Pierre wrote:
> this is actually what I thought as well.
>
> Is there a suitable replacement?
>
> Here is how the function is used...
>
> from ldap/libraries/libldap/tls.c
>
> //=============================================
>
> static X509 *
> tls_get_cert( SSL *s )
> {
> /* If peer cert was bad, treat as if no cert was given */
> if (SSL_get_verify_result(s)) {
> /* If we can send an alert, do so */
> if (SSL_version(s) != SSL2_VERSION){
>
> ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE);
> }
> return NULL;
> }
> return SSL_get_peer_certificate(s);
> }
Obviously the software is implemented to have the handshake succeed
regardless of the certificate verification result and then only
check out the certificate verification result later on.
That's what the original function of the verification routines (and callback
function). They check the certificate and have the handshake fail if
they are not satisfied with the result. By using the callback function
the application can adjust the default behaviour.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
