Skip to content

NetSSL: Allow per-Context InvalidCertificateHandler #3299

New issue
New issue
Closed
Closed
NetSSL: Allow per-Context InvalidCertificateHandler#3299
Assignees
obiltschnig
Labels
enhancement
Milestone
Release 1.11.0
@obiltschnig

Description

@obiltschnig
obiltschnig
opened on Jun 6, 2021

Currently, an InvalidCertificateHandler can only be specified globally, via SSLManager.
For some applications, it's necessary to use different strategies when handling invalid certificates, depending on the connection.

There is a way in OpenSSL to obtain the related SSL and SSL_CTX
structures from the X509_STORE_CTX* argument passed to SSLManager::verifyCallback().

So a potential solution could be as follows:

  1. Poco::Net::Context stores its this pointer in the underlying SSL_CTX object with
    SSL_CTX_set_ex_data().

  2. A Poco::Net::Context::Ptr member will be added to Poco::Net::VerificationErrorArgs.

  3. In SSLManager::verifyCallback(), obtain the SSL*, from the SSL_CTX*, and
    from that the Context::Ptr. Pass the Context::Ptr to the VerificationErrorArgs.

  4. This way, the InvalidCertificateHandler has access to the underlying Context.

  5. It’s now also possible to specify a custom InvalidCertificateHandler for each Context.
    SSLManager::verifyCallback() would check whether there is a non-null InvalidCertificateHandler
    specified for the Context. If it is, that InvalidCertificateHandler will be used, otherwise
    the default one from the SSLManager.

Metadata

Metadata

Assignees

Labels

enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions