You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jos Dehaes <jo...@be.ubizen.com> on 2004/08/12 10:29:54 UTC

which callback to use to do custom certificate validation

Hello,

we would like to do our own verification of client certificates, and to
that effect have written a module and a patch to mod_ssl that replaces
the verify callback with our own hook in ssl_hook_Access
(ssl_engine_kernel.c): 

APR_OPTIONAL_FN_TYPE(custom_ssl_verify) *cust_verify = NULL;
cust_verify = APR_RETRIEVE_OPTIONAL_FN(custom_ssl_verify);
if (dc->nVerifyClient == SSL_CVERIFY_CUSTOM && cust_verify){
     verify |= SSL_VERIFY_CLIENT_ONCE;
     modssl_set_verify(ssl, verify, cust_verify);
} else {
     modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);
}

and something similar in ssl_init_ctx_verify (in ssl_engine_init.c).
This works, but we don't have access to the cert chain when our callback
is called (SSL_get_peer_cert_chain returns a NULL pointer). Is this
normal (not yet filled in)? Or do we use the wrong callback/hook at the
wrong place?

Any help appreciated, (please CC, since I'm not on the list),
jos

Re: which callback to use to do custom certificate validation

Posted by Joe Orton <jo...@redhat.com>.

On Thu, Aug 12, 2004 at 10:29:54AM +0200, Jos Dehaes wrote:
> This works, but we don't have access to the cert chain when our callback
> is called (SSL_get_peer_cert_chain returns a NULL pointer). Is this
> normal (not yet filled in)? Or do we use the wrong callback/hook at the
> wrong place?

I think that's expected behaviour, you can only get to the cert chain
via the X509_STORE_CTX whilst it is being verified.

joe