Re: Server Authentication - Openssl

This is a discussion on Re: Server Authentication - Openssl ; From what I understand, you need the trust anchors certificate( eg Verisign ) so that you can check the server's certificate against the probably self-signed Verisign certificate. It is supposed that you have already have the certificates of CAs you ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Server Authentication

  1. Re: Server Authentication

    From what I understand, you need the trust anchors certificate( eg Verisign )
    so that you can check the server's certificate against the probably self-signed
    Verisign certificate. It is supposed that you have already have the certificates of
    CAs you trust.
    If your question is how to find online a specific certificate, the simple answer is that
    you usually can't.



    ----- Original Message ----
    From: AlokBhatnagar
    To: openssl-users@openssl.org
    Sent: Friday, June 20, 2008 4:02:15 PM
    Subject: Re: Server Authentication

    Thanks david,

    I know that the domain name should be same as the common name in server
    certificate which is sent by the server to the client.

    As I know, The SSL client verifies the server's certificate against the CA
    certificate loaded in the client.

    Suppose i trust Verisign CA. So my client must have Verisign CA Certificate
    in order to verify the server's certificate.

    So i want to ask, how will i get the CA certificate or list of CA
    certificates that i trust?

    Thanks

    Regards
    Alok Bhatnagar


    ----- Original Message -----
    From: "David Schwartz"
    To:
    Sent: Friday, June 20, 2008 6:03 PM
    Subject: RE: Server Authentication


    >
    > > So i want to know how will my client authenticate the server
    > > since i don't have the server's root certificate?

    >
    > > Thanks in Advance..

    >
    > > Regards
    > > Alok Bhatnagar

    >
    > That is completely application-dependent. The answer will depend on what
    > makes the legitimate server different from an imposter.
    >
    > Your question is basically, "how can I detect an impostor?". And the

    answer
    > is "as opposed to what?". For example, if the question is, "how can I tell
    > the real amazon.com from an impostor who doesn't control that domain?" the
    > answer is to see if the server presents a certificate with 'amazon.com' in
    > the common name that is signed by a CA you trust.
    >
    > If you don't know what CAs you trust, then you have a problem.
    >
    > DS
    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org





  2. Re: Server Authentication

    Hello Sendroiu,

    Thats what i was asking....

    How can i get the certificates of CAs i turst?

    Regards

    Alok Bhatnagar




    ----- Original Message -----
    From: Sendroiu Eugen
    To: openssl-users@openssl.org
    Sent: Friday, June 20, 2008 7:12 PM
    Subject: Re: Server Authentication


    From what I understand, you need the trust anchors certificate( eg Verisign )
    so that you can check the server's certificate against the probably self-signed
    Verisign certificate. It is supposed that you have already have the certificates of
    CAs you trust.
    If your question is how to find online a specific certificate, the simple answer is that
    you usually can't.



    ----- Original Message ----
    From: AlokBhatnagar
    To: openssl-users@openssl.org
    Sent: Friday, June 20, 2008 4:02:15 PM
    Subject: Re: Server Authentication

    Thanks david,

    I know that the domain name should be same as the common name in server
    certificate which is sent by the server to the client.

    As I know, The SSL client verifies the server's certificate against the CA
    certificate loaded in the client.

    Suppose i trust Verisign CA. So my client must have Verisign CA Certificate
    in order to verify the server's certificate.

    So i want to ask, how will i get the CA certificate or list of CA
    certificates that i trust?

    Thanks

    Regards
    Alok Bhatnagar


    ----- Original Message -----
    From: "David Schwartz"
    To:
    Sent: Friday, June 20, 2008 6:03 PM
    Subject: RE: Server Authentication


    >
    > > So i want to know how will my client authenticate the server
    > > since i don't have the server's root certificate?

    >
    > > Thanks in Advance..

    >
    > > Regards
    > > Alok Bhatnagar

    >
    > That is completely application-dependent. The answer will depend on what
    > makes the legitimate server different from an imposter.
    >
    > Your question is basically, "how can I detect an impostor?". And the

    answer
    > is "as opposed to what?". For example, if the question is, "how can I tell
    > the real amazon.com from an impostor who doesn't control that domain?" the
    > answer is to see if the server presents a certificate with 'amazon.com' in
    > the common name that is signed by a CA you trust.
    >
    > If you don't know what CAs you trust, then you have a problem.
    >
    > DS
    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org





+ Reply to Thread