[Development] OpenSSL certificate validation

Florian Weimer fweimer at redhat.com
Tue Aug 13 19:11:16 CEST 2013

On 08/13/2013 05:57 PM, Thiago Macieira wrote:
> On terça-feira, 13 de agosto de 2013 14:21:24, Florian Weimer wrote:
>> On 08/13/2013 01:55 PM, Florian Weimer wrote:
>>> network/ssl/qsslsocket_openssl.cpp contains these lines in
>>> QSslSocketBackendPrivate::initSslContext():
>>>       // Register a custom callback to get all verification errors.
>>>       X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);

> It looks that function is used only to store the certificates and error IDs
> during the verification process, not to implement it. We need to get a result
> from OpenSSL whether the verification was successful or not, and if it was not
> successful, the details why.

In my tests, the code below achieved just that:

     // Initialize peer verification.
     if (configuration.peerVerifyMode == QSslSocket::VerifyNone) {
         q_SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
     } else {
         q_SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, q_X509Callback);

The same callback is used there.  But if it's registered in this manner, 
it's not called by the OpenSSL while building the client certificate chain.

> If there's a better API for it than a global callback that doesn't get a
> context token passed, we're all ears :-)

You could use a multi-map with the X509_STORE_CTX * as the key instead 
of a list.  The pointer should be available from the SSL_CTX via 
SSL_CTX_get_cert_store, and it should be specific to that SSL_CTX.

Florian Weimer / Red Hat Product Security Team

More information about the Development mailing list