Nevermind, I ended up realising that there is actually documentation of each
function in the see also section on openssl.org (which i had never noticed
before), so I just rewrote it in C. And it works :-)
-Ian
-----Original Message-----
From: Shaughnessy, Ian
To: '[EMAIL PROTECTED]'
Sent: 2/19/01 1:17 PM
Subject: Net::SSLeay and certificate verification
Hi -
I have been for some time trying to figure out how to do certificate
verification with the Net::SSLeay perl module. Unfortunately there is
no
documentation on this anywhere in the module, and the one sample program
which uses callbacks does not fail if it is an invalid cert. Also
unfortunately, I can not find very much good documentation in general on
how
to do this, so i apologize if I do not explain my problem very well.
Basically what I am trying to do is this:
/usr/local/ssl/bin/openssl s_client -connect www.equifax.com:443
-verify
-1 -CApath .
With a thawte certificate and hashed symlink in the local directory, but
in
a perl script. The trick here is the -1 verification, I want this perl
script to fail unless it can have -1 verification (sorry if incorrect
term).
Right now, the callback.pl script verifies at 1, so it will verify any
site
you connect to provided only you have some (any) cert. How do i get it
to
only verify if it can trace the cert chain back up to, say thawte? Here
is
a copy of the verify function (and what sets it) also.
$ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!");
Net::SSLeay::CTX_set_default_verify_paths($ctx);
Net::SSLeay::CTX_load_verify_locations($ctx, '', $cert_dir)
or die_now("CTX load verify loc=`$cert_dir' $!");
Net::SSLeay::CTX_set_verify($ctx, 0, \&verify);
die_if_ssl_error('callback: ctx set verify');
sub verify {
my ($ok, $x509_store_ctx) = @_;
print "**** Verify called ($ok)\n";
my $x =
Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx);
if ($x) {
print "Certificate:\n";
print " Subject Name: "
. Net::SSLeay::X509_NAME_oneline(
Net::SSLeay::X509_get_subject_name($x))
. "\n";
print " Issuer Name: "
. Net::SSLeay::X509_NAME_oneline(
Net::SSLeay::X509_get_issuer_name($x))
. "\n";
}
$callback_called++;
return $ok; #$ok; # 1=accept cert, 0=reject
}
When I run this without the thawte certificate, while connecting to
mycio.com (issued by equifax, issued by thawte), verify is called, and
returns:
**** Verify called (0)
Certificate:
Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business
CA-2
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
**** Verify called (1)
Certificate:
Subject Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
**** Verify called (1)
Certificate:
Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business
CA-2
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
**** Verify called (1)
Certificate:
Subject Name: /C=US/ST=California/L=Santa Clara/O=Network
Associates/OU=myCIO.com/CN=www.mycio.com
Issuer Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business
CA-2
However, when I try to connect to a site using a snakeoil cert, it
returns
**** Verify called (0)
Certificate:
Subject Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn
it/C
[EMAIL PROTECTED]
Issuer Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn
it/C
[EMAIL PROTECTED]
**** Verify called (1)
Certificate:
Subject Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn
it/C
[EMAIL PROTECTED]
Issuer Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn
it/C
[EMAIL PROTECTED]
And still verifies. What do I need to do? Once again, I apologize if
this
sounds silly, but I can not find _any_ good documentation about this,
and I
have never done any C openssl stuff. Thanks.
-Ian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
