You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi:
I'm using libwebsockets as wss client. I have the following problem. Would you please help to have a look?
I added a crl file to SSL_CTX in the LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS callback. Like this
case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS:
...
if (crlPath) {
X509_STORE *store = SSL_CTX_get_cert_store(sslCtx);
(VOS_VOID)X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
X509_STORE_load_locations(store, crlPath, 0);
}
...
It works well when the issuer of the peer's certificate is the same as the issuer of the crl. If it is different, I expect the tls handshake to succeed, but actually I get a "unable to get certificate CRL" error.
I want to handle this error in openssl verify_callback, but I don't see a way to do it.
If I specify a callback to SSL_CTX via SSL_CTX_set_verify, it will be replaced by OpenSSL_client_verify_callback. And I can't change the result of the OpenSSL_client_verify_callback.
Is there another way that I haven't found? Or, will a callback be added to OpenSSL_client_verify_callback, like LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION, in the future?
Any help or pointers would be greatly appreciated!
Thanks!
The text was updated successfully, but these errors were encountered:
Hi:
I'm using libwebsockets as wss client. I have the following problem. Would you please help to have a look?
I added a crl file to
SSL_CTX
in theLWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS
callback. Like thisIt works well when the issuer of the peer's certificate is the same as the issuer of the crl. If it is different, I expect the tls handshake to succeed, but actually I get a "unable to get certificate CRL" error.
I want to handle this error in openssl verify_callback, but I don't see a way to do it.
If I specify a callback to
SSL_CTX
viaSSL_CTX_set_verify
, it will be replaced byOpenSSL_client_verify_callback
. And I can't change the result of theOpenSSL_client_verify_callback
.Is there another way that I haven't found? Or, will a callback be added to
OpenSSL_client_verify_callback
, likeLWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION
, in the future?Any help or pointers would be greatly appreciated!
Thanks!
The text was updated successfully, but these errors were encountered: