This is as much a question as an issue, I'm trying to understand why the SSL Certificate verification in fast_tls is largely disabled because the verify callback always returns 1 (success):
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
return 1;
}
I understand ejabberd does some level of certificate verification at the application level, but I'm curious why this couldn't be left for fast_tls / OpenSSL to handle?
Would you be open to PRs that change this behaviour?
Such patch may have performance penalty, and i'm not sure we need verification on that layer.
We can still consider review a PR if you think that can be useful in fast_tls driver.
This is as much a question as an issue, I'm trying to understand why the SSL Certificate verification in
fast_tls
is largely disabled because the verify callback always returns 1 (success):I understand
ejabberd
does some level of certificate verification at the application level, but I'm curious why this couldn't be left forfast_tls
/OpenSSL
to handle?Would you be open to PRs that change this behaviour?