The SSL_CTX_set_verify()
and SSL_set_verify()
calls can be used to set the verify_callback()
function for the underlying context and ssl, respectively. Here is a snippet from the documentation of verify_callback()
:
The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with “verification failed” state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If verify_callback returns 1, the verification process is continued. If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established.
Now to my question. If I setup the verify_callback()
(along with any other necessary OpenSSL setup calls, certificates, etc.), then call SSL_connect()
, is it safe to assume that any call to verify_callback()
for connection establishment purposes will return before the return of the SSL_connect()
call?
It appears to me that this is a safe assumption since the documentation states that this callback is what determines whether a connection will be established or not. Therefore, the callback will directly affect the return value of the SSL_connect()
call. Can anyone confirm/deny this assumption?
Advertisement
Answer
Assuming that you are interested only in TCP connection : short answer: yes, long answer: it depends:
- If you connect in blocking mode – always yes
- If you connect in non-blocking mode –
SSL_connect
may return -1 during the process of establishing connection. In this case you should callSSL_get_error
and check what the problem was (if it returnsSSL_ERROR_WANT_READ
orSSL_ERROR_WANT_WRITE
you need to repeat theSSL_connect
call). If you need to repeat the call – then the answer is no (verify_callback
will be called somewhere between first and lastSSL_connect
call).