The same question in much more specific terms:
int VerifyCallback(X509_STORE_CTX *store_ctx, void *arg)
Is the certificate stored in store_ctx the *new* one that the peer sends
in case of *renegotiation*?
Is the certificate stored in the SSL struct (obtained via
SSL_get_peer_certificate()) the *old* one that was negotiated from the
previous successful handshake? Is this one NULL the first time this
callback is called? (i.e. initial handshake, *not* renegotiation)
If so, I could just compare those two and return 0 if they are not equal.
Thanks in advance,
Dimitris
On Wed, 21 May 2014, Dimitrios Apostolou wrote:
Hello list,
I'm using SSL_CTX_set_cert_verify_callback(empty_callback) to bypass all
certificate chain walking and validation. I extract and validate the RSA key
*after* handshake and verify only that.
However I believe this callback can be called arbitrary times after initial
handshake, in the case of renegotiation. In that case, I want to close the
connection if the peer renegotiates the session using a different key than
the initial one.
So I need to not only get the current certificate from X509_STORE_CTX, but
also the original certificate *from before renegotiation*. Is there an API
call for that, or do I need to pass custom data pointers using ex_data?
Thank you in advance,
Dimitris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
