You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm looking at making changes apply a common certificate revocation checking policy across a range of server products using OpenSSL for certificate verification on outbound TLS connections. I can see that I can hook into OpenSSL using SSL_CTX_set_verify or SSL_CTX_set_cert_verify_callback (or equivalents for SSL and X509_STORE objects) to add appropriate checking, however we have a large number of places that verify certificates and there are often several layers between the application code and OpenSSL. For example python code using requests ultimately uses OpenSSL to verify the server certificate, but getting access to the SSL_CTX is non-trivial.
Are there any mechanisms I'm missing that would allow changing the default behaviour of certificate verification at a broader scope, e.g. per-process, or across the whole OS?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm looking at making changes apply a common certificate revocation checking policy across a range of server products using OpenSSL for certificate verification on outbound TLS connections. I can see that I can hook into OpenSSL using
SSL_CTX_set_verify
orSSL_CTX_set_cert_verify_callback
(or equivalents forSSL
andX509_STORE
objects) to add appropriate checking, however we have a large number of places that verify certificates and there are often several layers between the application code and OpenSSL. For example python code using requests ultimately uses OpenSSL to verify the server certificate, but getting access to theSSL_CTX
is non-trivial.Are there any mechanisms I'm missing that would allow changing the default behaviour of certificate verification at a broader scope, e.g. per-process, or across the whole OS?
Beta Was this translation helpful? Give feedback.
All reactions