Verification of X509 certificate
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Verification of X509 certificate
by Konrad Kleine-3
::
Rate this Message:
I also posted this question on the users mailing list.
Hello, we are writing an client/server-application in C/C++ using OpenSSL. The communication works fine, but if we set the client to verify the server's certificate (using "SSL_set_verify(ssl, SSL_VERIFY_PEER, ourVerifyCallback);") we get the error: "unable to get local issuer certificate" which is explained here: http://www.openssl.org/docs/apps/verify.html#item_20 Some background information on our Certificate hierarchy: We have a custom, self-signed CA certificate and a Server certificate that is directly signed by the CA certificate. Out certificate chain therefore has a depth of 1. To solve the verification problem on client side, it works if we call this: SSL_CTX_load_verify_locations(sslContext, "PATH/TO/CA_FILE.pem", 0); That's fine, but is it possible to verify the server's certificate on client side by specifying a whole directory or a perhaps the copy of the server's certificate file directly? In our examples, verification fails if we don't specify a file that contains the CA certificate among others. Thanks in advance Konrad ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@... Automated List Manager majordomo@... |
|
|
Re: Verification of X509 certificate
by Patrick Patterson-3
::
Rate this Message:
Hi Konrad:
Konrad Kleine wrote: > I also posted this question on the users mailing list. > > Hello, > > we are writing an client/server-application in C/C++ using OpenSSL. > <SNIP> > That's fine, but is it possible to verify the server's certificate on > client side by specifying a whole directory or a perhaps the copy of the > server's certificate file directly? > > In our examples, verification fails if we don't specify a file that > contains the CA certificate among others. > This is actually correct behaviour - in order to check a certificates validity, you need to check: 1: That it was signed by a "trusted" CA 2: That it is in it's validity period 3: That it isn't revoked. 4: That it is being used according to any critical extensions. 5: You SHOULD check and make sure that non-critical extensions are obeyed as well. 6: That it was issued according to a Certificate Policy that you have chosen. The OpenSSL verification routines do a fairly good job of handling 1,2,3,and 4, although you have to supply your own code to handle CRL Distribution Points and the actual downloading of the CRL, you have to provide an already built trust path, since AIA chasing isn't possible directly from within the OpenSSL Verification routines (which is probably a good thing :), and there are only a small number of critical fields that OpenSSL can handle by default. To handle the full set of requirements, including 5 and 6, you have to implement custom routines yourself, or use something like Pathfinder (http://pathfinder-pki.googlecode.com). So, you should be providing the CA that signed the Server cert to the client (or else, how do you know and trust the signature in the server certificate ??). Just checking the server certificate doesn't actually get you anything (if you are just going to do that, don't use certificates, and just use some form of shared secret). Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@... Automated List Manager majordomo@... |
| Free Forum Powered by Nabble | Forum Help |