Can I change the result of OpenSSL_client_verify_callback or specify a different verify_callback for openssl to use?

[PJ2501]

Hi: I'm using libwebsockets as wss client. I have the following problem. Would you please help to have a look? I added a crl file to SSL_CTX in the LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS callback. Like this

case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS:
...
    if (crlPath) {
        X509_STORE *store = SSL_CTX_get_cert_store(sslCtx);
        (VOS_VOID)X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
        X509_STORE_load_locations(store, crlPath, 0);
    }
...

It works well when the issuer of the peer's certificate is the same as the issuer of the crl. If it is different, I expect the tls handshake to succeed, but actually I get a "unable to get certificate CRL" error. I want to handle this error in openssl verify_callback, but I don't see a way to do it.

If I specify a callback to SSL_CTX via SSL_CTX_set_verify, it will be replaced by OpenSSL_client_verify_callback. And I can't change the result of the OpenSSL_client_verify_callback.

Is there another way that I haven't found? Or, will a callback be added to OpenSSL_client_verify_callback, like LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION, in the future?

Any help or pointers would be greatly appreciated! Thanks!

[lws-team]

lws is FOSS, if you want to add a callback, please suggest a patch for it.