tags:

views:

127

answers:

2
+2  Q: 

SSL_CTX_set_cert_verify_callback vs. SSL_CTX_set_verify

Hello,

Can anyone tell me what is the difference between SSL_CTX_set_cert_verify_callback and SSL_CTX_set_verify? From OpenSSL docs:

SSL_CTX_set_cert_verify_callback() sets the verification callback function for ctx. SSL objects that are created from ctx inherit the setting valid at the time when SSL_new(3) is called.

and:

SSL_CTX_set_verify() sets the verification flags for ctx to be mode and specifies the verify_callback function to be used. If no callback function shall be specified, the NULL pointer can be used for verify_callback.

So I'm trying to understand which callback to send for each one (from client side).

Thanks experts.

+1  A: 

SSL_CTX_set_cert_verify_callback() means you're specifying a function to do the entire validation process (walking the certificate chain validating each cert in turn). [ you probably don't want to be doing this, per the warning below ]

SSL_CTX_set_verify(), on the other hand, specifies a function that's called when the default validator checks each certificate, with preverify_ok set to 0 or 1 to indicate if verification of the certificate in question worked.

From the doc for SSL_CTX_set_cert_verify_callback()

WARNINGS

Do not mix the verification callback described in this function with the verify_callback function called during the verification process. The latter is set using the SSL_CTX_set_verify(3) family of functions.

Providing a complete verification procedure including certificate purpose settings etc is a complex task. The built-in procedure is quite powerful and in most cases it should be sufficient to modify its behaviour using the verify_callback function.

David Gelhar  2010-04-28 12:27:14
SSL_CTX_set_verify() is called only when the default validator discovers that a particular cert has failed to validate? So it willbe called only when something is not OK with the certificate?
BreakPoint  2010-04-28 12:35:24
See my answer. It will be called for client cert regardless validation result. OpenSSL passes the result to the callback in preverify_ok argument.
ZZ Coder  2010-04-28 12:46:49
@ZZ right, I'll make that corection
David Gelhar  2010-04-28 12:47:41
When you say "It will be called for client cert" - do you mean only from the server side?
BreakPoint  2010-04-28 12:52:01
Yes. All this doesn't mean much to you if you are a client.
ZZ Coder  2010-04-28 14:12:54
Thanks... Some more questions:1. Is the subject name matching validation done by the default OpenSSL's procedure? 2. Where can I get the whole list of checkings that this mechanism performs? 3. Is there a way to waive one of them specifically? (the validity date, the chain of trust, etc.) If yes - how?Thanks again!
BreakPoint  2010-04-28 15:43:28
+1  A: 

SSL_CTX_set_cert_verify_callback() changes the default certificate verification function. You probably should not do this. It's quite involved, you need to check the signature for each cert, verify the chain, possibly check CRL. It's the most complicated part of the SSL.

The SSL_CTX_set_verify() is used to set the mode of SSL. If the mode is SSL_VERIFY_PEER (2-way SSL), you should also set a callback in this function to further verify the client certificate (checking CN against a white-list etc). For other modes, this CB is not used. Since you said you are in client mode, you probably don't need to worry about this call.

ZZ Coder  2010-04-28 12:43:22
Thanks for replying. Does the default validation checks for subject name mismatch? I have a sample implementation that uses SSL_CTX_set_verify() in order to perform this checking. In client side.
BreakPoint  2010-04-28 12:51:05

related questions

OpenSSL and generating CSRs at client side
Encrypting data in Cocoa, decoding in PHP (and vice versa)
SSCrypto/OpenSSL to C# Crypto
How do you test a public/private keypair?
Python memory debugging with GDB
Programmatically Create X509 Certificate using OpenSSL
Understanding engine initialization in OpenSSL
Net::SSLeay post_https compilation error: Too many arguments
Opening an RSA private key from Ruby
How can I parse a Certificate Signing Request with Perl?
How to deploying a self signed SSL certificate to multiple servers
Building libcurl with SSL support on Windows
Self Signed Certificate in Windows without makecert?
"CURLE_OUT_OF_MEMORY" error when posting via https
How would you test an SSL connection?
Crypto/x509 certificate parsing libraries for Python (pyOpenSSL vs Python OpenSSL Wrappers vs...)
Strange call stack, could it be problem in asio's usage of openssl?
Is it a problem if multiple different accepting sockets use the same OpenSSL context?
Ruby on Rails: no such file to load -- openssl on RedHat Linux Enterprise
Using openssl what does "unable to write 'random state'" mean?
Using openssl encryption with Java
C# utility to create a CA
Easy expanation of setting up Openssl on Windows.
Getting ASN.1 Issuer strings from PEM files?
What Certificate Authority Software is Available?