Kevin_Stewart
Employee
Employeessl::verify result question
Is there a way to use OpenSSL functions with SSL::verify_result? I've heard mention that SSL::verify_result uses functions from OpenSSL. Can I assume that it is mimicking the verify function? And if so is there a way to extend SSL::verify_result to use either the -purpose or -issuer-checks parameters?
We are requiring client certs on our BigIP, but most of our clients have separate identity and email certificates signed by different intermediates of the same root CA. We are also using OCSP to do crl checking on the presented certs. When the client presents a valid identity cert, SSL::verify_result returns a 0, or "ok", the ocsp irule goes to AUTH_SUCCESS event, and all is well. When the client submits an email certificate, SSL::verify_result returns a 0 "ok", and the ocsp irule goes to AUTH_FAILURE as expected (since we don't have crl's for the email root, it fails shut). Now, when the client presents a revoked (but not expired) certificate, SSL::verify_result still returns 0 "ok", and the ocsp irule goes to AUTH_FAILURE (as expected). So the problem is that a revoked cert and an email cert flag the same results. They both fail ocsp, but there's no way to differentiate the two.
So basically we need a way of telling them apart so we can alert the client appropriately.
Thanks in advance.
K Stewart