{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 相关推荐>> 的问题《SSL_CTX_set_verify() callback and current depth》','https://www.manongdao.com/q-864238.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm writing my own callback function in C for SSL_CTX_set_verify() to perform additional certificate checks (when the preverify_ok parameter is 1). However, I want to perform the checks only for the leaf certificate (depth = 0).
There is the function X509_STORE_CTX_get_error_depth() that gets the depth of the error; but I want the current depth even when there is no error so I can perform my additional checks only when depth=0. (Note that the function SSL_CTX_get_verify_depth() returns the depth limit and not the current depth.)
Is there any way to do what I want?
In spite of the name, during the verify process
error_depthis indeed the current certificate being checked. See thewhileloop ininternal_verifyincrypto/x509/x509_vfy.c. If either the callback or any builtin check -- here signature or expired, in other places inX509_verify_certrevocation, policy, etc. -- decides a cert is bad, verify logic returns witherror_depthleft at the cert that caused verify to return, and a subsequent call from 'above' finds that value which identifies the 'error' cert.