Re: [pyOpenSSL] certificate verification

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sat,  2 Oct 2004 14:54:57 +1000, Ajay <abr...@ma...> wrote:
> hi!
> 
> i added a callback for set_verify.
> ctx.set_verify(VERIFY_NONE, verify)
> 
> in verify, i put a print statement and it gets called twice - once for
> CA.cert and once for server.cert. Shouldn't it get called only once, for
> server.cert

No, the callback gets called once for every cert in the cert chain,
starting with the root and ending with the server's cert. One of the
arguments is the depth, I don't recall off hand.

> also how would you verify the server certificate? what would you add to
> verify()

Well, for starters I'd use SSL.VERIFY_PEER rather than VERIFY_NONE ;)
You should probably read the man page for SSL_CTX_set_verify_callback,
this is basic openssl stuff.

/Martin