> From: owner-openssl-us...@openssl.org On Behalf Of Daniel Mentz > Sent: Wednesday, 02 September, 2009 08:27 > To: openssl-users@openssl.org > Subject: post-connection assertions > > I'm wondering what's the best way to check the identity of > the peer [in its cert just after connection] > So I call SSL_get_verify_result() and > SSL_get_peer_certificate(). My question is *when* to call > these functions. Some alternatives come into my mind. But I > do not like any of them: > > 1. Call those functions when SSL_accept() (or SSL_connect()) > returns success. > That's not an option for me cos I want to use the implicit > connection setup provided by SSL_read() and SSL_write() > I prefer to be explicit. But it's your choice.
> 2. Use SSL_in_init() after every call to SSL_read() or > SSL_write() and see if the return value changes from true to false. > I don't like that option either because it feels like a hack. > Also, I guess it only works with SSL_read(). SSL_write() > might send data before I've got a chance to check if the > subjectAltName matches with what I expect. > I agree that's pretty yucky. > 3. Use SSL_set_verify() and provide a callback function. > This sounds promising but the callback function gets called > for every certificate in the chain. How can I find out > whether the certificate in question is the peer's cert and > not some intermediate cert? > x509storectx->error_depth == 0 (1,2,... are the CAs) even though this callback isn't for error. Yeah, it looks silly but it works. Look at the loop in x509/x509_vfy.c internal_verify() to see why. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
