Hi all,
I'm straggling a bit and could really use a small push in the right
direction.
First what I'm trying to do. I want to verify client certificate using
OpenSSL. In order to make OpenSSL request client certificate during
negotiating, I'm setting
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
However my problem is, that that actually tries to verify the
certificate (sure, that's expected). However at the moment I don't want
it verified, just requested. From what I've gathered around the internet
the `OpenSSL::X509::Store#verify_callback=` should be the way to go
however I can't get it to work.
Here is how store and context are created:
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
cert_store.verify_callback = lambda do |preverify_ok, store_ctx|
true
end
ctx = OpenSSL::SSL::SSLContext.new
ctx.key = OpenSSL::PKey::RSA.new(File.open('test/certs/server.key'))
ctx.cert = OpenSSL::X509::Certificate.new(File.open('test/certs/server.crt'))
ctx.min_version = :TLS1_2
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
ctx.cert_store = cert_store
If I understand documentation (`man SSL_CTX_set_verify`) correctly,
If verify_callback always returns 1, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection will
be established
my callback should basically mark any certificate as valid? However it
does not, when I try to connect it fails with:
in `accept_nonblock': SSL_accept returned=1 errno=0 state=error:
certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)
Could anyone please point me in the right direction as for how to get
this to work?
Thank you very much 
W.
···
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.