DanKegel wrote, On 2008-12-18 12:12: > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1088928 > says "To obtain the certificate that was rejected by the certificate > authentication callback, the callback function calls > SSL_PeerCertificate."
The sentence above could be clarified by inserting the words "bad certificate", so that it reads "... the bad certicicate callback function calls SSL_PeerCertificate". This sentence appears in the description of the "Bad Certificate" callback function which the application may supply. As explained in that description, the Bad Cert callback, if supplied by the application, is called immediately after the certificate authentication callback returns a failure result. Being the second callback, the "bad cert" callback may wish to know what cert was rejected by the earlier cert auth callback. The bad cert callback calls SSL_PeerCertificate to get that info. Note that SSL_PeerCertificate is also the function called by the first callback (the certificate authentication callback) to get the cert it is being asked to authenticate. > And it really does mean the callback function. Once that returns, the > information is destroyed, and SSL_PeerCertificate will fail. Yeah, once the handshake is over, much of the info it used is gone, unless the application makes its own copy during the handshake. > This seems obvious in retrospect. Just posting here in case anyone > else trips on this. Thanks. Feel free to file a documentation bug against that web page. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
