noxxi / p5-io-socket-ssl

IO::Socket::SSL Perl Module
36 stars 60 forks source link

Using SSL_verify_callback in server mode #151

Closed gbicann closed 7 months ago

gbicann commented 7 months ago

Hi there,

The documentation doesn't say so, but from what I can tell from the source code, the SSL_verify_callback parameter is ignored if SSL_server is set (I am using IO::Socket::SSL via Net::Server::Proto::SSL which I assume sets this option).

I am writing a server that needs to validate client certificates and this is not currently possible because of this.

Therefore, I'd like to ask:

  1. if this is a deliberate design choice, is it due to limitations in Net::SSLeay or the underlying libcrypto implementation(s), or for some other unavoidable reason?
  2. if it's not deliberate, or is for an avoidable reason, would you accept a pull request that makes SSL_verify_callback work when combined with SSL_server?

Thanks in advance,

@gbicann.

hubandr commented 7 months ago

Have you tried it with SSL_verify_mode => SSL_VERIFY_PEER ?

noxxi commented 7 months ago

... parameter is ignored if SSL_server is set

This is not true (just verified).

I am writing a server that needs to validate client certificates and this is not currently possible because of this.

Then the bug is probably in your server code or you have the wrong expectation of what SSL_verify_peer is supposed to do. Note that it is only called if there is a actual client certificate transferred. This can only be the case if a client certificate is actually requested - use SSL_VERIFY_PEER. And if it is not considered mandatory (SSL_VERIFY_FAIL_IF_NO_PEER_CERT) then the client can also send no certificate, in which case the verification callback does not get called either.