Skip to content
Advertisement

OpenSSL verify_callback and SSL_connect

The SSL_CTX_set_verify() and SSL_set_verify() calls can be used to set the verify_callback() function for the underlying context and ssl, respectively. Here is a snippet from the documentation of verify_callback():

The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with “verification failed” state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If verify_callback returns 1, the verification process is continued. If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established.

Now to my question. If I setup the verify_callback() (along with any other necessary OpenSSL setup calls, certificates, etc.), then call SSL_connect(), is it safe to assume that any call to verify_callback() for connection establishment purposes will return before the return of the SSL_connect() call?

It appears to me that this is a safe assumption since the documentation states that this callback is what determines whether a connection will be established or not. Therefore, the callback will directly affect the return value of the SSL_connect() call. Can anyone confirm/deny this assumption?

Advertisement

Answer

Assuming that you are interested only in TCP connection : short answer: yes, long answer: it depends:

  • If you connect in blocking mode – always yes
  • If you connect in non-blocking modeSSL_connect may return -1 during the process of establishing connection. In this case you should call SSL_get_error and check what the problem was (if it returns SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE you need to repeat the SSL_connect call). If you need to repeat the call – then the answer is no (verify_callback will be called somewhere between first and last SSL_connect call).
User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement