Forum Discussion
Kevin_Stewart
Aug 30, 2006Employee
ssl::verify result question
Is there a way to use OpenSSL functions with SSL::verify_result? I've heard mention that SSL::verify_result uses functions from OpenSSL. Can I assume that it is mimicking the verify function? And if so is there a way to extend SSL::verify_result to use either the -purpose or -issuer-checks parameters?
We are requiring client certs on our BigIP, but most of our clients have separate identity and email certificates signed by different intermediates of the same root CA. We are also using OCSP to do crl checking on the presented certs. When the client presents a valid identity cert, SSL::verify_result returns a 0, or "ok", the ocsp irule goes to AUTH_SUCCESS event, and all is well. When the client submits an email certificate, SSL::verify_result returns a 0 "ok", and the ocsp irule goes to AUTH_FAILURE as expected (since we don't have crl's for the email root, it fails shut). Now, when the client presents a revoked (but not expired) certificate, SSL::verify_result still returns 0 "ok", and the ocsp irule goes to AUTH_FAILURE (as expected). So the problem is that a revoked cert and an email cert flag the same results. They both fail ocsp, but there's no way to differentiate the two.
So basically we need a way of telling them apart so we can alert the client appropriately.
Thanks in advance.
K Stewart
No RepliesBe the first to reply
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects