证书校验选项调试通过。

platform/src/ssl_stream.cpp

@@ -43,9 +43,6 @@
 
 static int SSL_EX_DATA_IDX_SSLMGR;
 
-int SSL_PEER_CERT_VERIFY_PASSED=1;
-int SSL_PEER_CERT_VERIFY_FAILED=0;
-
 #define MAX_NET_RETRIES        50
 #define	LATENCY_WARNING_THRESHOLD_MS		1000
 /*
@@ -388,7 +385,8 @@ void ssl_stat_init(struct ssl_mgr * mgr)
 	return;
 }
 static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, const unsigned char* selected_alpn);
-static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello * chello, evutil_socket_t fd);
+static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stream, evutil_socket_t fd);
+
 static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr);
 
 struct ssl_chello * ssl_peek_result_release_chello(future_result_t * result)
@@ -418,8 +416,9 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
 			break;
 		case CONN_DIR_UPSTREAM: 
 			ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_UP_NEW]));
-			s_stream->ssl = upstream_ssl_create(mgr, client_hello, fd);
+			s_stream->up_parts.verify_param.no_verify_expiry_date=1;		
 			s_stream->up_parts.client_hello = client_hello;
+			s_stream->ssl = upstream_ssl_create(mgr, s_stream, fd);
 			break;
 		default: assert(0);
 	}
@@ -589,7 +588,6 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
 	//tfe2a uses SSLv23_method, it was been deprecated and replaced with the TLS_method() in openssl 1.1.0.
 	mgr->sslmethod = TLS_method;
     SSL_EX_DATA_IDX_SSLMGR   = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
-	
 	MESA_load_profile_uint_def(ini_profile, section, "ssl_compression", &(mgr->sslcomp), 1);
 	MESA_load_profile_uint_def(ini_profile, section, "no_ssl2", &(mgr->no_ssl2), 1);
 	MESA_load_profile_uint_def(ini_profile, section, "no_ssl3", &(mgr->no_ssl3), 1);
@@ -786,12 +784,12 @@ static void ssl_async_peek_client_hello(struct future * f, evutil_socket_t fd, i
  * Create new SSL context for outgoing connections to the original destination.
  * If hostname sni is provided, use it for Server Name Indication.
  */
-static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello * chello, evutil_socket_t fd)
+static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stream, evutil_socket_t fd)
 {
 	SSL_CTX * sslctx = NULL;
 	SSL * ssl = NULL;
 	SSL_SESSION * sess = NULL;
-	
+	struct ssl_chello * chello=s_stream->up_parts.client_hello;
 	sslctx = SSL_CTX_new(mgr->sslmethod());
 	sslctx_set_opts(sslctx, mgr);
 	int ret=0;
@@ -817,7 +815,7 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello *
 		SSL_CTX_free(sslctx);
 		return NULL;
 	}
-
+	
 	SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
 	ssl = SSL_new(sslctx);
 	SSL_CTX_free(sslctx);  /* SSL_new() increments refcount */

platform/src/ssl_trusted_cert_storage.cpp

@@ -11,7 +11,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <assert.h>
-static int SSL_EX_DATA_IDX_VERIFY_PARAM;
+int SSL_EX_DATA_IDX_VERIFY_PARAM=-1;
 
 struct ssl_X509_object
 {
@@ -184,7 +184,8 @@ struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem
 	storage->pem_dir=tfe_strdup(pem_dir);
 	storage->hash_table=_create_mesa_htable();
 	pthread_rwlock_init(&(storage->rwlock), NULL);
-	SSL_EX_DATA_IDX_VERIFY_PARAM = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+	assert(SSL_EX_DATA_IDX_VERIFY_PARAM<0);
+	SSL_EX_DATA_IDX_VERIFY_PARAM = X509_STORE_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
 	return storage;
 	
 
@@ -273,9 +274,8 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
 	return;
 }
 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
- {
+{
-    int err, ret=0;
+    int err=0, ret=0;
-    SSL* ssl;
 	struct cert_verify_param* param=NULL;
 
 	if(preverify_ok)
@@ -287,8 +287,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
      * Retrieve the pointer to the SSL of the connection currently treated
      * and the application specific data stored into the SSL object.
      */
-    ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+	param = (struct cert_verify_param*)X509_STORE_CTX_get_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM);
-    param = (struct cert_verify_param*)SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM);
 	switch(err)
 	{
 		case	X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
@@ -333,8 +332,6 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 		return 1;
 	}
 	X509 * cert = sk_X509_value(cert_chain, 0);
-	SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_callback);
-	SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
 	
 	X509_STORE_CTX * ctx = X509_STORE_CTX_new();
 	pthread_rwlock_rdlock(&(storage->rwlock));
@@ -350,6 +347,10 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 		host_matched=1;
 	}
 	
+	X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
+//	SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, &(s_stream->up_parts.verify_param));
+	X509_STORE_CTX_set_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
+
 	//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
 	ret = X509_verify_cert(ctx);
 	err_code=X509_STORE_CTX_get_error(ctx);