This is a discussion on Re: Verification of X509 certificate - Openssl ; Hi Konrad: Konrad Kleine wrote: > I also posted this question on the users mailing list. > > Hello, > > we are writing an client/server-application in C/C++ using OpenSSL. > > That's fine, but is it possible to verify ...
Konrad Kleine wrote:
> I also posted this question on the users mailing list.
> we are writing an client/server-application in C/C++ using OpenSSL.
> That's fine, but is it possible to verify the server's certificate on
> client side by specifying a whole directory or a perhaps the copy of the
> server's certificate file directly?
> In our examples, verification fails if we don't specify a file that
> contains the CA certificate among others.
This is actually correct behaviour - in order to check a certificates
validity, you need to check:
1: That it was signed by a "trusted" CA
2: That it is in it's validity period
3: That it isn't revoked.
4: That it is being used according to any critical extensions.
5: You SHOULD check and make sure that non-critical extensions are
obeyed as well.
6: That it was issued according to a Certificate Policy that you have
The OpenSSL verification routines do a fairly good job of handling
1,2,3,and 4, although you have to supply your own code to handle CRL
Distribution Points and the actual downloading of the CRL, you have to
provide an already built trust path, since AIA chasing isn't possible
directly from within the OpenSSL Verification routines (which is
probably a good thing , and there are only a small number of critical
fields that OpenSSL can handle by default. To handle the full set of
requirements, including 5 and 6, you have to implement custom routines
yourself, or use something like Pathfinder
So, you should be providing the CA that signed the Server cert to the
client (or else, how do you know and trust the signature in the server
certificate ??). Just checking the server certificate doesn't actually
get you anything (if you are just going to do that, don't use
certificates, and just use some form of shared secret).
OpenSSL Project http://www.openssl.org
Development Mailing List firstname.lastname@example.org
Automated List Manager email@example.com