git.ipfire.org Git - thirdparty/openssl.git/commit

author	David Benjamin <davidben@google.com>
	Mon, 20 Oct 2025 21:38:14 +0000 (17:38 -0400)
committer	Tomas Mraz <tomas@openssl.org>
	Mon, 24 Nov 2025 18:23:05 +0000 (19:23 +0100)
commit	14ddbcee237cb99b3921c352852b4d4fadbb8e6c
tree	7402b7b998f3a273cba0075833aad33caf3f82f2	tree \| snapshot
parent	9a30e1411294575c9ceecb87edef4331b1643913	commit \| diff

doc: Discuss calling X509_verify_cert in cert_verify_callback

Using SSL_CTX_set_cert_verify_callback but still calling
X509_verify_cert is useful if applications want to dynamically
configure the X509_STORE_CTX, or postprocess the result, in a way that
does not quite fit the somewhat unpredictable behavior of the
SSL_CTX_set_verify callback. (In my experience, applications rarely
realize it is called multiple times. It's also too late at that point to
reconfigure the X509_STORE_CTX as verification has already started.)

There is one note in the docs that the callback needs to stash the
verify result with X509_STORE_CTX_set_error, but it is not immediately
obvious that X509_verify_cert will do so, or that it is the built-in
behavior. Add a paragraph discussing this.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28960)

(cherry picked from commit 069181d7f39beaae22bfa67bcba3c5fe93acafd4)