开发者

OpenSSL: How to supply a custom pointer to the certificate verification callback

开发者 https://www.devze.com 2023-01-24 14:35 出处:网络
I want to use X509_STORE_set_verify_cb_func to receive certificate validation errors. I then want to store these errors in a list and process it la开发者_JS百科ter after SSL_connect returned.

I want to use X509_STORE_set_verify_cb_func to receive certificate validation errors. I then want to store these errors in a list and process it la开发者_JS百科ter after SSL_connect returned.

However my application is multithreaded and I wanted to avoid any mutex locking for this callback. Any ways to pass a "void pointer" or store this somewhere in the X509_STORE_CTX so I can store the error inside the "right" location and don't have to use a global error list and lock that while doing the SSL_connect?

Thanks


AFAIK you are indeed stuck with that - just stuff it as an entry in there under your own id. The other option is to deal with the SSL callbacks a bit more generically - see for example ssl_hook in ssl_engine_kernel.c of Apache its SSL module. While a bit more work - it gives you complete control over the entire process - and entirely in your 'own process space'.

Thanks,

Dw.


If you are using C11 or later, you can define a global thread_local variable

thread_local void * openssl_verify_context;

Then

  • Set openssl_verify_context before setting the callback (i.e. before X509_STORE_set_verify_cb_func).
  • Use openssl_verify_context in the callback.
  • If needed read and unset openssl_verify_context after validating the certificate (i.e. after PKCS7_dataVerify).

The advantage of this solution is you do not need to know the details of the struct behind X509_STORE_CTX (it is hidden in recent versions of OpenSSL).

0

精彩评论

暂无评论...
验证码 换一张
取 消