verify_callback 指定的回调函数,是用于验证的,还是验证后处理的?下面的文档抄录自 OpenSSL 文档 set peer certificate verification parameters ,Ruby Doc 关于这个问题描述地不是很详细。
The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification function set with SSL_CTX_set_cert_verify_callback. ... The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set.
- 如果是验证后处理的,但在读 Puppet 源码的时候,发现即使
preverify_ok为true也要再检查peer。preverify_ok = valid_peer?不太明白为什么要这样做。 - 如果是这个回调函数负责
peer的验证,那么这个preverify_ok的值是怎么确定的?
def call(preverify_ok, store_context)
# We must make a copy since the scope of the store_context will be lost
# across invocations of this method.
if preverify_ok
current_cert = store_context.current_cert
@peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)
# If we've copied all of the certs in the chain out of the SSL library
if @peer_certs.length == store_context.chain.length
# (#20027) The peer cert must be issued by a specific authority
preverify_ok = valid_peer?
end
else
error = store_context.error || 0
error_string = store_context.error_string || "OpenSSL error #{error}"
case error
when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
# current_crl can be nil
# https://github.com/ruby/ruby/blob/ruby_1_9_3/ext/openssl/ossl_x509store.c#L501-L510
crl = store_context.current_crl
if crl
if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
Puppet.debug("Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}")
preverify_ok = true
else
@verify_errors << "#{error_string} for #{crl.issuer}"
end
else
@verify_errors << error_string
end
else
current_cert = store_context.current_cert
@verify_errors << "#{error_string} for #{current_cert.subject}"
end
end
preverify_ok
rescue => ex
@verify_errors << ex.message
false
end
暂无回复。