>From a brief look at the cert validation code, it appears that there's no way to do non-blocking IO while performing on-line revocation checks, e.g. querying a CDP or an OCSP responder.
Is that correct? Specifically, I see in ssl_cert.c a call is made to X509_verify_cert(), or a user-supplied verification callback. It looks like X509_verify_cert() only checks CRLs, and only CRLs that have been previously stored in the context. So, no CDP lookups. Further, it looks like if a user-supplied callback is provided that does a CDP lookup, there's no way for the callback to return a would-block error, or for the handshake to be retried once the revocation data is available. Is that correct? b.c. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
