httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jos Dehaes <>
Subject which callback to use to do custom certificate validation
Date Thu, 12 Aug 2004 08:29:54 GMT

we would like to do our own verification of client certificates, and to
that effect have written a module and a patch to mod_ssl that replaces
the verify callback with our own hook in ssl_hook_Access

APR_OPTIONAL_FN_TYPE(custom_ssl_verify) *cust_verify = NULL;
cust_verify = APR_RETRIEVE_OPTIONAL_FN(custom_ssl_verify);
if (dc->nVerifyClient == SSL_CVERIFY_CUSTOM && cust_verify){
     verify |= SSL_VERIFY_CLIENT_ONCE;
     modssl_set_verify(ssl, verify, cust_verify);
} else {
     modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);

and something similar in ssl_init_ctx_verify (in ssl_engine_init.c).
This works, but we don't have access to the cert chain when our callback
is called (SSL_get_peer_cert_chain returns a NULL pointer). Is this
normal (not yet filled in)? Or do we use the wrong callback/hook at the
wrong place?

Any help appreciated, (please CC, since I'm not on the list),

View raw message