Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Strange behaviour with SSL_CTX_set_verify

686 views
Skip to first unread message

Hegde, Ramdas

unread,
Mar 22, 2001, 6:12:42 PM3/22/01
to
After I do the SSL initialization, I do the following in my server code.
while(1){
if((s=accept(sock,0,0))<0)
err_exit("Problem accepting");

sbio=BIO_new_socket(s,BIO_NOCLOSE);
ssl=SSL_new(ctx);
SSL_set_bio(ssl,sbio,sbio);

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
if((r=SSL_accept(ssl)<=0))
err_exit("SSL accept error");

peer = SSL_get_peer_certificate(ssl);
if (peer == NULL) {
printf("Null presented by peer \n");
}

The first time the client connects and does the SSL handhshake, when the
server makes a request for a client certificate, it gets a NULL. But on
subsequent calls from the client, the server is able to get the client
certificate.
What could be going wrong the first time this happens?
If I make it SSL_set_verify() instead of SSL_CTX_set_verify(), the server
gets the peer certificate but the callback function is not called.
I am confused as to why this is happening and would appreciate any ideas to
solving this problem.

Thanks

Ramdas
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Greg Stark

unread,
Mar 22, 2001, 8:53:27 PM3/22/01
to
You need to do the SSL_CTX_set_verify() *before* you do the SSL_new(). The
SSL * sort of inherits all of the settings from the parent SSL_CTX *, kind
of like a fork(). If you need to customize a setting for a particular SSL
session, you do this to the SSL * object.

_____________________________________
Greg Stark
Ethentica, Inc.
gst...@ethentica.com
_____________________________________

Hegde, Ramdas

unread,
Mar 22, 2001, 9:20:44 PM3/22/01
to
Thanks Greg

Moving the SSL_CTX_set_verify() above the SSL_new() did the job of fixing
the problem.

Ramdas

Filipe Contente

unread,
Mar 23, 2001, 10:55:45 AM3/23/01
to

HI!!!

I'm with the same problem..

but i can't get the peer certificate in any situation, it is always
NULL!

i'm using the SSL_CTX_set_verify() method after i create the call to
SSL_CTX_new(),
is it in the wrong place?? should i use the SSL_set_verify() ?

i'm doing this in c++ also, and i'm using threads, so for each session I
create a new ssl.
is this ok??

if you don't mind, can you send me your ssl_set_verify() method???

thanks a lot.

Hegde, Ramdas

unread,
Mar 23, 2001, 12:58:06 PM3/23/01
to
Hi Filipe

You will have to do the SSL_CTX_set_verify() before creating the ssl object
using SSL_new().
The modified code which works for me is given below. I too do a fork() for
every request passing on the ssl reference to each child.


if((s=accept(sock,0,0))<0)
err_exit("Problem accepting");

sbio=BIO_new_socket(s,BIO_NOCLOSE);
---> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
---> ssl=SSL_new(ctx);
SSL_set_bio(ssl,sbio,sbio);

if((r=SSL_accept(ssl)<=0))
err_exit("SSL accept error");

verify_error = SSL_get_verify_result(ssl);
printf("verify error val = %Ld\n", verify_error);
if (verify_error != X509_V_OK) {
printf("verify error val = %Ld\n", verify_error);
BIO_printf(bio_err,"verify error:%s\n",

X509_verify_cert_error_string(verify_error));


}
peer = SSL_get_peer_certificate(ssl);
if (peer == NULL) {
printf("Null presented by peer \n");
}


Ramdas

0 new messages