SSL_CTX_set_cert_verify_callback vs. SSL_CTX_set_verify

BreakPoint picture BreakPoint · Apr 28, 2010 · Viewed 8.9k times · Source

Can anyone tell me what is the difference between SSL_CTX_set_cert_verify_callback and SSL_CTX_set_verify? From OpenSSL docs:

SSL_CTX_set_cert_verify_callback() sets the verification callback function for ctx. SSL objects that are created from ctx inherit the setting valid at the time when SSL_new(3) is called.

and:

SSL_CTX_set_verify() sets the verification flags for ctx to be mode and specifies the verify_callback function to be used. If no callback function shall be specified, the NULL pointer can be used for verify_callback.

So I'm trying to understand which callback to send for each one (from client side).

Thanks experts.

Answer

David Gelhar picture David Gelhar · Apr 28, 2010

SSL_CTX_set_cert_verify_callback() means you're specifying a function to do the entire validation process (walking the certificate chain validating each cert in turn). [ you probably don't want to be doing this, per the warning below ]

SSL_CTX_set_verify(), on the other hand, specifies a function that's called when the default validator checks each certificate, with preverify_ok set to 0 or 1 to indicate if verification of the certificate in question worked.

From the doc for SSL_CTX_set_cert_verify_callback()

WARNINGS

Do not mix the verification callback described in this function with the verify_callback function called during the verification process. The latter is set using the SSL_CTX_set_verify(3) family of functions.

Providing a complete verification procedure including certificate purpose settings etc is a complex task. The built-in procedure is quite powerful and in most cases it should be sufficient to modify its behaviour using the verify_callback function.