On 18-01-13 04:26, Patrick Pelletier wrote: > On 12/10/2012 03:05 AM, Patrick Pelletier wrote: > >> So I had been thinking it couldn't be done with the callback. However, >> after re-reading the manpage for SSL_CTX_set_verify, it sounds like it >> does get called on success, and is given the opportunity to fail the >> connection. So perhaps I could call validate_hostname() from inside the >> callback after all. I just haven't seen it done that way, but I'll give >> it a try and see if it works. > > The problem with this is that the callback set with SSL_CTX_set_verify is > called once for *each* certificate in the chain, starting with the > certificate authority, working its way through the intermediate certificates > (if any) and ending with the server's certificate. The server certificate > is the one I want to check the hostname of. But how do I tell when my > callback is being called for the *last* time? That seems to be a > fundamentally intractable problem. You can use this from within the callback (I use it for a different use case): int errdepth = X509_STORE_CTX_get_error_depth(ctx); When the errdepth hits 0, you are evaluating the end-entity certificate (aka host/client/service certificate and not a CA). You can double check this by doing a certificate purpose check, but in most cases this will work perfectly. In the unlikely event you need to support RFC3820, then I have solutions for that too. IMHO libevent should be able to trigger and event and callback to do this basic function. Without it RFC2818 (and friends) are complicated to implement. Oscar
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature