CODEWITHSUNDEEP
csslopenssl
user2766839
user2766839

Reputation: 177

SSL_CTX_set_cert_verify_callback to get the chain list

When i register a callback using SSL_CTX_set_cert_verify_callback, I get the callback. The ctx contains the cert but I cant seem to find the whole cert chain sent by the client. Does anyone know which field in the ctx would have it ? or how can i retrieve it so that I can do the full validation.

SSL_CTX_set_cert_verify_callback(ctx, ssl_app_verify_callback, NULL);

Thanks...

Upvotes: 0

Views: 487

Answers (2)

user2797321
user2797321

Reputation:

The chain of certs sent by the client is stored in the ctx->untrusted structure which is a stack of certs considered 'untrusted' because it is not part of the trust store. You don't really need to access this chain because openssl will automatically use it while performing the certificate chain validation process. In fact, I would be careful modifying this, since it could have unintended consequences. Refer to this thread on the openssl forum which cautions against changing the struct.

Upvotes: 0

Steffen Ullrich
Steffen Ullrich

Reputation: 123260

The verify callback for client certificates works the same way as the callback for the server certificates, i.e.

  • OpenSSL will build the chain based on what the client has send and what the server knows as local CA path.
  • For each part of the chain the verification callback will be called. This means that the callback will be called for local certificates which are part of the trust chain even if the client has not send them. And the callback will not called for certificates which are not part of the chain even if the client has send them.

If the client will send chain certificates depends on the client. But there is nothing in the standard which makes this impossible and openssl s_client -cert leaf.pem -CAfile chain.pem ... can be used to make the client send both leaf and chain certificates.

Upvotes: 1

Related Questions