You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jos Dehaes <jo...@be.ubizen.com> on 2004/08/12 10:29:54 UTC
which callback to use to do custom certificate validation
Hello,
we would like to do our own verification of client certificates, and to
that effect have written a module and a patch to mod_ssl that replaces
the verify callback with our own hook in ssl_hook_Access
(ssl_engine_kernel.c):
APR_OPTIONAL_FN_TYPE(custom_ssl_verify) *cust_verify = NULL;
cust_verify = APR_RETRIEVE_OPTIONAL_FN(custom_ssl_verify);
if (dc->nVerifyClient == SSL_CVERIFY_CUSTOM && cust_verify){
verify |= SSL_VERIFY_CLIENT_ONCE;
modssl_set_verify(ssl, verify, cust_verify);
} else {
modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);
}
and something similar in ssl_init_ctx_verify (in ssl_engine_init.c).
This works, but we don't have access to the cert chain when our callback
is called (SSL_get_peer_cert_chain returns a NULL pointer). Is this
normal (not yet filled in)? Or do we use the wrong callback/hook at the
wrong place?
Any help appreciated, (please CC, since I'm not on the list),
jos
Re: which callback to use to do custom certificate validation
Posted by Joe Orton <jo...@redhat.com>.
On Thu, Aug 12, 2004 at 10:29:54AM +0200, Jos Dehaes wrote:
> This works, but we don't have access to the cert chain when our callback
> is called (SSL_get_peer_cert_chain returns a NULL pointer). Is this
> normal (not yet filled in)? Or do we use the wrong callback/hook at the
> wrong place?
I think that's expected behaviour, you can only get to the cert chain
via the X509_STORE_CTX whilst it is being verified.
joe