The SSL_CTX_set_verify() and SSL_set_verify() calls can be used to set the verify_callback() function for the underlying context and ssl, respectively. Here is a snippet from the documentation of verify_callback():
The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with “verification failed” state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If verify_callback returns 1, the verification process is continued. If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established.
Now to my question. If I setup the verify_callback() (along with any other necessary OpenSSL setup calls, certificates, etc.), then call SSL_connect(), is it safe to assume that any call to verify_callback() for connection establishment purposes will return before the return of the SSL_connect() call?
It appears to me that this is a safe assumption since the documentation states that this callback is what determines whether a connection will be established or not. Therefore, the callback will directly affect the return value of the SSL_connect() call. Can anyone confirm/deny this assumption?
Advertisement
Answer
Assuming that you are interested only in TCP connection : short answer: yes, long answer: it depends:
- If you connect in blocking mode – always yes
- If you connect in non-blocking mode –
SSL_connectmay return -1 during the process of establishing connection. In this case you should callSSL_get_errorand check what the problem was (if it returnsSSL_ERROR_WANT_READorSSL_ERROR_WANT_WRITEyou need to repeat theSSL_connectcall). If you need to repeat the call – then the answer is no (verify_callbackwill be called somewhere between first and lastSSL_connectcall).