When to call SSL_set_verify vs SSL_CTX_set_verify

Question

According the OpenSSL documentation, both SSL_set_verify and SSL_CTX_set_verify appear to do pretty much the same thing.

Using the Boost libraries, I can't tell whether/when I need to call ssl::stream::set_verify_callback versus ssl::context::set_verify_callback, since the stream uses the context anyways. The functions call SSL_set_verify and SSL_CTX_set_verify, respectively, under the hood.

When do I need to set the verification callback for the context instead of the SSL stream?

Answer 1

Each connection can have its own ssl object while they all get inherited from one ctx object. You can see the difference here. One generally tends to have one ctx created and use the same for all TLS connections. In this model you can control the verification options globally or at individual connection level with the two options.

Thus the difference is that SSL_CTX_set_verify sets the verification mode for all ssl objects derived from a given ctx whereas SSL_set_verify() only affects the ssl object it is called on.

Answer 2

Usually you have a common verification function in your code and not one specific for a single SSL sessions. And often you share the same SSL context between multiple SSL sessions. Therefore in most cases it makes more sense to set the verification callback only on the context.