Certificate verification with BIO_do_connect()

Question

Is certificate verification performed during a BIO_do_connect call?

I am trying to understand when to use ssl_get_verify_result(). The documentation says this function should be used in conjunction with ssl_get_peer_certificate. But some of the examples (IBM's for instance) don't, saying that OpenSSL does the verification for us. They only call ssl_get_verify_result() after BIO_do_connect.

I see that BIO_do_connect is actually a macro:

/* BIO_s_accept() and BIO_s_connect() */
#  define BIO_do_connect(b)       BIO_do_handshake(b)
#  define BIO_do_accept(b)        BIO_do_handshake(b)
# endif /* OPENSSL_NO_SOCK */

# define BIO_do_handshake(b)     BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)

So, my understanding is that BIO_do_connect does not actually check to see if the server sent a certificate. If the server does send a certificate, then ssl_get_verify_result will use that to perform verification. If it doesn't send one, then ssl_get_verify_result still returns X509_V_OK. That is why we need to call ssl_get_peer_certificate to make sure that a certificate is in fact sent. Is this correct?

Answer 1

If you look at the BIO_do_handshake example, you are safe to call ssl_get_verify_result / ssl_get_peer_certificate after the call to BIO_do_handshake.

You can customize the verification process with SSL_CTX_set_verify in which you can provide a callback verification function. This allow you to provide your own validation rules like allowing overrides for things like self signed certificate support, etc.