SSL and Certificates verification
Hi all, I have two issues when I am trying to verify the certificates from an SSL connection. In particular I have difficulties in understanding how to: - Add a set of certificates that are to be trusted (trust anchors..) - Add a set of certificates that might be needed to build the chain (not trust anchors.. ) - Accept a chain of certificates where a self-signed cert is present without that error to be the only one reported in the verify callback (i.e., are there any flags I can set to avoid the error ?) So far, from the source code, I thought that by using: store = SSL_CTX_get_cert_store(ctx); X509_STORE_add_cert (store, cert); ... ssl = SSL_new ( ctx ); I would add the cert to the trusted ones.. but it does not seem to work :( Where are the functions or the right pointers to do that without using the SSL_CTX_load_verify_locations() ??? -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] ope...@acm.org project.mana...@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov smime.p7s Description: S/MIME Cryptographic Signature
SSL and Certificates verification
Hi all, I have two issues when I am trying to verify the certificates from an SSL connection. In particular I have difficulties in understanding how to: - Add a set of certificates that are to be trusted (trust anchors..) - Add a set of certificates that might be needed to build the chain (not trust anchors.. ) - Accept a chain of certificates where a self-signed cert is present without that error to be the only one reported in the verify callback (i.e., are there any flags I can set to avoid the error ?) So far, from the source code, I thought that by using: store = SSL_CTX_get_cert_store(ctx); X509_STORE_add_cert (store, cert); ... ssl = SSL_new ( ctx ); I would add the cert to the trusted ones.. but it does not seem to work :( Where are the functions or the right pointers to do that without using the SSL_CTX_load_verify_locations() ??? -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] ope...@acm.org project.mana...@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov smime.p7s Description: S/MIME Cryptographic Signature