Nevermind, I ended up realising that there is actually documentation of each function in the see also section on openssl.org (which i had never noticed before), so I just rewrote it in C. And it works :-) -Ian -----Original Message----- From: Shaughnessy, Ian To: '[EMAIL PROTECTED]' Sent: 2/19/01 1:17 PM Subject: Net::SSLeay and certificate verification Hi - I have been for some time trying to figure out how to do certificate verification with the Net::SSLeay perl module. Unfortunately there is no documentation on this anywhere in the module, and the one sample program which uses callbacks does not fail if it is an invalid cert. Also unfortunately, I can not find very much good documentation in general on how to do this, so i apologize if I do not explain my problem very well. Basically what I am trying to do is this: /usr/local/ssl/bin/openssl s_client -connect www.equifax.com:443 -verify -1 -CApath . With a thawte certificate and hashed symlink in the local directory, but in a perl script. The trick here is the -1 verification, I want this perl script to fail unless it can have -1 verification (sorry if incorrect term). Right now, the callback.pl script verifies at 1, so it will verify any site you connect to provided only you have some (any) cert. How do i get it to only verify if it can trace the cert chain back up to, say thawte? Here is a copy of the verify function (and what sets it) also. $ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!"); Net::SSLeay::CTX_set_default_verify_paths($ctx); Net::SSLeay::CTX_load_verify_locations($ctx, '', $cert_dir) or die_now("CTX load verify loc=`$cert_dir' $!"); Net::SSLeay::CTX_set_verify($ctx, 0, \&verify); die_if_ssl_error('callback: ctx set verify'); sub verify { my ($ok, $x509_store_ctx) = @_; print "**** Verify called ($ok)\n"; my $x = Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx); if ($x) { print "Certificate:\n"; print " Subject Name: " . Net::SSLeay::X509_NAME_oneline( Net::SSLeay::X509_get_subject_name($x)) . "\n"; print " Issuer Name: " . Net::SSLeay::X509_NAME_oneline( Net::SSLeay::X509_get_issuer_name($x)) . "\n"; } $callback_called++; return $ok; #$ok; # 1=accept cert, 0=reject } When I run this without the thawte certificate, while connecting to mycio.com (issued by equifax, issued by thawte), verify is called, and returns: **** Verify called (0) Certificate: Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2 Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server [EMAIL PROTECTED] **** Verify called (1) Certificate: Subject Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server [EMAIL PROTECTED] Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server [EMAIL PROTECTED] **** Verify called (1) Certificate: Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2 Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server [EMAIL PROTECTED] **** Verify called (1) Certificate: Subject Name: /C=US/ST=California/L=Santa Clara/O=Network Associates/OU=myCIO.com/CN=www.mycio.com Issuer Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2 However, when I try to connect to a site using a snakeoil cert, it returns **** Verify called (0) Certificate: Subject Name: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn it/C [EMAIL PROTECTED] Issuer Name: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn it/C [EMAIL PROTECTED] **** Verify called (1) Certificate: Subject Name: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn it/C [EMAIL PROTECTED] Issuer Name: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn it/C [EMAIL PROTECTED] And still verifies. What do I need to do? Once again, I apologize if this sounds silly, but I can not find _any_ good documentation about this, and I have never done any C openssl stuff. Thanks. -Ian ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]