[asio-users] Additional checks on peer certificate
Brought to you by:
chris_kohlhoff
Menu
▾
▴
[asio-users] Additional checks on peer certificate
|
From: Marcel F. <Mar...@qu...> - 2010-06-21 20:29:00
|
Hi, I want to do some additional checks on the peer certificate, like a hostname check. My first question is how should I get access to the peer certificate in the verify callback: The documentation for X509_STORE_CTX_get_current_cert(ctx); states that in case of no error this may return NULL so I guess I should not just call this one at depth 0, as the certificate does not need to be in an error state (although that seems to work). I guess using SSL_CTX_set_verify(ssl) is also a bad idea and should only be called after the verify (so not from the callback), although I did not test this. I now use X509_STORE_CTX_get_chain when at depth 0 and use the certificate at entry 0 in this stack. Is the correct way to get access to the peer certificate? My second question is on when to do this check in the callback. I now do it when at depth 0 and preverify_ok was 1. This used to work ok until I added an "accept an expired certificate" option in the callback (when a certain command line option is set). In case of the expired certificate (the initial preverify_ok is 0 in this case) I do the check and return 1. What I now see that after this return the callback now gets called another time for the same certificate but with preverify_ok is 1. So now the additional verification is done twice (still works but is not what I had in mind ;-). So now I guess that I should change the code to only do the additional check when the INITIAL preverify_ok was 1, is this correct? And it is intended behaviour that it works like this (calling the callback again for a certificate that was originally not ok but is made ok by the return code of the callback) so my changes won't break in a future version? Kind regards, Marcel Fransen |
