Hi Viktor, I realized that something like this could be an option a few minutes after I hit "send". Thanks for the confirmation - I'll give this a shot!
Many thanks! Armen On Mon, Sep 10, 2018 at 11:19 PM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > > > > On Sep 11, 2018, at 2:09 AM, Armen Babikyan <armen.babik...@gmail.com> > wrote: > > > > I have a question regarding openssl and verification of client > certificates. Is there a way to have an openssl-enabled server ask for a > client certificate, and when it receives one it can't verify, rather than > immediately terminating the handshake, it would allow the connection, but > pass some context about the failed verification to the calling application? > > Yes. > > > It appears that what I want is not possible from the SSL_VERIFY_* > options presented here: > > Actually, SSL_VERIFY_PEER is the right choice, but you also need a > non-null verification callback that continues (by returning 1) > despite failures to verify the client certificate. > > You can check the verification status at the completion of the > handshake via SSL_get_verify_result(3). > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
