Making broad changes to revocation checking #24398
Unanswered
thomaswhiteway
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I'm looking at making changes apply a common certificate revocation checking policy across a range of server products using OpenSSL for certificate verification on outbound TLS connections. I can see that I can hook into OpenSSL using
SSL_CTX_set_verify
orSSL_CTX_set_cert_verify_callback
(or equivalents forSSL
andX509_STORE
objects) to add appropriate checking, however we have a large number of places that verify certificates and there are often several layers between the application code and OpenSSL. For example python code using requests ultimately uses OpenSSL to verify the server certificate, but getting access to theSSL_CTX
is non-trivial.Are there any mechanisms I'm missing that would allow changing the default behaviour of certificate verification at a broader scope, e.g. per-process, or across the whole OS?
Beta Was this translation helpful? Give feedback.
All reactions