Certificate Verification

From: Doug Hardie <bc979_at_lafn.org>
Date: Sun, 03 Mar 2024 08:24:21 UTC
Does SSL_accept actually verify client certificates if they are presented and if there is a verify_callback function.  The man page seems to indicate it is not verified, and that needs to be done in the callback.  I tried using an expred certificate and openssl correctly determined it was expired, but the preverify_ok value was still 1 and the certificate was accepted.  The documentation gives the values for preverify_ok but says nothing about what is checked to determine that value.

I tried to chase down the openssl code, but it is very complex.  It reminds me of the old saying: I can write Fortran in any language. ;-)

-- Doug