OpenSSL: How to supply a custom pointer to the certificate verification callback

I want to use X509_STORE_set_verify_cb_func to receive certificate validation errors. I then want to store these errors in a list and process it la开发者_JS百科ter after SSL_connect returned.

However my application is multithreaded and I wanted to avoid any mutex locking for this callback. Any ways to pass a "void pointer" or store this somewhere in the X509_STORE_CTX so I can store the error inside the "right" location and don't have to use a global error list and lock that while doing the SSL_connect?

Thanks

AFAIK you are indeed stuck with that - just stuff it as an entry in there under your own id. The other option is to deal with the SSL callbacks a bit more generically - see for example ssl_hook in ssl_engine_kernel.c of Apache its SSL module. While a bit more work - it gives you complete control over the entire process - and entirely in your 'own process space'.

Thanks,

Dw.

If you are using C11 or later, you can define a global thread_local variable

thread_local void * openssl_verify_context;

Then

• Set openssl_verify_context before setting the callback (i.e. before X509_STORE_set_verify_cb_func).
• Use openssl_verify_context in the callback.
• If needed read and unset openssl_verify_context after validating the certificate (i.e. after PKCS7_dataVerify).

The advantage of this solution is you do not need to know the details of the struct behind X509_STORE_CTX (it is hidden in recent versions of OpenSSL).