Topic: wolfSSL_connect PATCH
I have posted topics related to certificate validation and wolfSSL was written to have a callback in VERIFY_PEER function allow for handling certificate errors and allowing the connection to continue.
But I wanted a mechanism that is always going to return GOOD on wolfSSL_connect
and then allow me to analyze the failure and take action
so I patched wolfSSL.2.4.0
internal.h - struct wolfSSL - Added two integer members
int validcert ;
int certerr ;
ssl.h - Added 2 functions
WOLFSSL_API int wolfSSL_validcert(WOLFSSL*);
WOLFSSL_API int wolfSSL_certerr(WOLFSSL*);
ssl.c - Added 2 functions
int wolfSSL_validcert(WOLFSSL* ssl)
{
return (ssl->validcert) ;
}
int wolfSSL_certerr(WOLFSSL* ssl)
{
return (ssl->certerr) ;
}
internal.c - wherever verifyCallback is called, commented that code out
if (ssl->verifyCallback) { changed to: fatal = 0 ;
if (ret == 0 && ssl->options.side == CLIENT_END)
ssl->options.serverState = SERVER_CERT_COMPLETE;
//Code addition - we intercept the layer that
//handles the verify callback
//and replace it with just setting error flags
//
ssl->certerr = ret ;
ssl->validcert = -22 ;
if (ret == 0) ssl->validcert = 22 ;
ret = 0 ;
/* COMMENT OUT CODE BLOCK
if (ret != 0)
{
if (!ssl->options.verifyNone) {
int why = bad_certificate;
COMMENT all of the verifycallback code block
Maybe wolfSSL could add a choice whether you want a callback or some function calls and maybe a #define NO_VERIFY_CALLBACK, #define WANT_CERT_ERRORS or something to that effect to allow for clients to connect to ANY HTTPS server regardless of CA cert validation and
then allow them to continue or stop based on security requirements
I never liked to have a mixture of callbacks and member functions, straight function calls are more readable and more
But some may want callbacks because it may give greater flexibility the the CTX_509_STORE structure, but I will not use it.