On Mon, Jun 04, 2007, Brian Craft wrote: > >From a brief look at the cert validation code, it appears that there's > no way to do non-blocking IO while performing on-line revocation checks, > e.g. querying a CDP or an OCSP responder. > > Is that correct? Specifically, I see in ssl_cert.c a call is made to > X509_verify_cert(), or a user-supplied verification callback. It looks > like X509_verify_cert() only checks CRLs, and only CRLs that have been > previously stored in the context. So, no CDP lookups. > > Further, it looks like if a user-supplied callback is provided that > does a CDP lookup, there's no way for the callback to return a > would-block error, or for the handshake to be retried once the > revocation data is available. Is that correct? >
Currently no. Adding support via special return codes is not that hard to do but would cause problems for existing applications. The reason is that they would not know how to handle the condition. It could behave in a manner similar to the existing non-blocking I/O but it would be via a different socket (e.g. the one downloading the CRL or performing OCSP). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
