Topic: What to return from TLS verify callback?

I am trying to debug an issue with not receiving any data after the TLS handshake and happened to stumble across this

Verify callback overriding error!

It's printed after calling the verification callback and the code looks like this:

ok = ssl->verifyCallback(0, store);
if (ok) {
   WOLFSSL_MSG("Verify callback overriding error!");
   ret = 0;
}

Right now I return WOLFSSL_SUCCESS (1) which triggers the error message. I assume it's not an actual error since the following flow looks correct and an alert would be sent otherwise. Is it as simple as an incorrect message?

Share

Re: What to return from TLS verify callback?

Hi Marco,

The return code from the verify callback allows an error to do overridden. By default the verify callback is only issued in the error case, unless you have `WOLFSSL_ALWAYS_VERIFY_CB` defined. You can use the `store->error` variable to determine the error reason (if one exists). A non-zero return code such a 1 or `WOLFSSL_SUCCESS` allows an error to be overridden. A return value of 0 means continue processing the error in the default way (fail).

For everyones reference the verify callback is set using: `wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);`

Here are some example implementations we use for internal testing of the verify callback:
https://github.com/wolfSSL/wolfssl/blob … st.h#L1361
https://github.com/wolfSSL/wolfssl/blob … st.h#L1404

Thanks,
David Garske, wolfSSL

Share