Hi:
I'm using libwebsockets as wss client. I have the following problem. Would you please help to have a look?
I added a crl file to SSL_CTX in the LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS callback. Like this
case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS:
...
if (crlPath) {
X509_STORE *store = SSL_CTX_get_cert_store(sslCtx);
(VOS_VOID)X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
X509_STORE_load_locations(store, crlPath, 0);
}
...
It works well when the issuer of the peer's certificate is the same as the issuer of the crl. If it is different, I expect the tls handshake to succeed, but actually I get a "unable to get certificate CRL" error.
I want to handle this error in openssl verify_callback, but I don't see a way to do it.
If I specify a callback to SSL_CTX via SSL_CTX_set_verify, it will be replaced by OpenSSL_client_verify_callback. And I can't change the result of the OpenSSL_client_verify_callback.
Is there another way that I haven't found? Or, will a callback be added to OpenSSL_client_verify_callback, like LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION, in the future?
Any help or pointers would be greatly appreciated!
Thanks!
Hi: I'm using libwebsockets as wss client. I have the following problem. Would you please help to have a look? I added a crl file to
SSL_CTX
in theLWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS
callback. Like thisIt works well when the issuer of the peer's certificate is the same as the issuer of the crl. If it is different, I expect the tls handshake to succeed, but actually I get a "unable to get certificate CRL" error. I want to handle this error in openssl verify_callback, but I don't see a way to do it.
If I specify a callback to
SSL_CTX
viaSSL_CTX_set_verify
, it will be replaced byOpenSSL_client_verify_callback
. And I can't change the result of theOpenSSL_client_verify_callback
.Is there another way that I haven't found? Or, will a callback be added to
OpenSSL_client_verify_callback
, likeLWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION
, in the future?Any help or pointers would be greatly appreciated! Thanks!