[Development] OpenSSL certificate validation

Thiago Macieira thiago.macieira at intel.com
Tue Aug 13 19:32:05 CEST 2013


On terça-feira, 13 de agosto de 2013 19:11:16, Florian Weimer wrote:
>      // Initialize peer verification.
>      if (configuration.peerVerifyMode == QSslSocket::VerifyNone) {
>          q_SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
>      } else {
>          q_SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, q_X509Callback);
>      }
> 
> The same callback is used there.  But if it's registered in this manner, 
> it's not called by the OpenSSL while building the client certificate chain.

Makes sense.

I'm located in the US, so I'm not allowed to modify the SSL code. If you're in 
the US, you're not either. And now here's an interesting question: are people 
working for American companies allowed to modify the SSL code?

> > If there's a better API for it than a global callback that doesn't get a
> > context token passed, we're all ears
> 
> You could use a multi-map with the X509_STORE_CTX * as the key instead 
> of a list.  The pointer should be available from the SSL_CTX via 
> SSL_CTX_get_cert_store, and it should be specific to that SSL_CTX.

Sorry, I'm not sure I understood that. Sounds like we still have a global.

I'd like to obtain the list of error conditions and for each condition the 
associated certificate (or depth) without a global variable.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20130813/4e60b363/attachment.sig>


More information about the Development mailing list