Re: SSL_CTX_set_default_verify_paths and Windows?

[Dr. Stephen Henson]

On Fri, Aug 31, 2012, Dave Thompson wrote:
 like a scifi movie monster feeding on nuclear bomb radiation. 
 There is definitely an engine for MS CAPI, and I thought I had 
 heard mention that the engine interface was adding at least some 
 truststore function. But looking in 1.0.1c I don't see any trace 
 of such, so maybe I misunderstood or maybe it isn't cooked yet.
 

No it isn't there at present. Some research is needed on how to retrieve the
trust setting for CAPI stores first (so email CAs don't get trusted for
servers).

It is possible to dump the contents of a cert store using some of the ctrl
options though, but that only dumps them to standard output. 

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: SSL_CTX_set_default_verify_paths and Windows?

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
 Sent: Friday, 31 August, 2012 12:00
 To: openssl-users@openssl.org
 Subject: SSL_CTX_set_default_verify_paths and Windows?
 
 Is there documentation for SSL_CTX_set_default_verify_paths()? 
 It's declared here http://www.openssl.org/docs/ssl/ssl.html 
 but there's no description and no link that I see.

UTSL (although in this case you must go through several layers). 
_set_default_verify is effectively _load_verify_locations 
using env vars SSL_CERT_FILE SSL_CERT_DIR if they exist 
and otherwise X509_get_default_cert_{file,dir}() which return 
a compiled-in file and directory normally file cert.pem and 
subdir certs under OPENSSLDIR, which is configurable at build 
time and can be seen with commandline openssl version -d .
If you're using the ShiningLight builds (as I am) they seem 
to make OPENSSLDIR /usr/local/ssl, a directory that doesn't 
normally exist on Windows systems (it does on many Unixes).

It is still a file and/or directory in OpenSSL format, not MS.

 
 I have an application working on Windows using explicit PEM 
 certificate
 files: SSL_CTX_load_verify_locations(SslCtx, myCert.pem, NULL);
 
 My interest is in the possibility of using the built-in 
 certificate store
 in Windows. Is that possible with OpenSSL? Is
 SSL_CTX_set_default_verify_paths() relevant? Is there an 
 overview document
 somewhere?

1. OpenSSL X509_STORE logic (like several others) is extensible, 
i.e. you write code implementing the same interface and plug it 
in. I'm sure it's possible to write a store that fetches from MS 
instead of from a file or directory like the builtin ones do.
But this looks like a pretty big job. Someone else may already 
have done this, but if so I haven't heard or seen of it.

2. OpenSSL has an ENGINE feature that was originally created 
to handle hardware devices mostly doing low-level crypto operations 
(a digest, a symmetric encrypt or decrypt, a publickey encrypt or 
decrypt, etc.) It has gradually been adding more functions, rather 
like a scifi movie monster feeding on nuclear bomb radiation. 
There is definitely an engine for MS CAPI, and I thought I had 
heard mention that the engine interface was adding at least some 
truststore function. But looking in 1.0.1c I don't see any trace 
of such, so maybe I misunderstood or maybe it isn't cooked yet.

Or of course you could just read the certs from MS truststore 
and put them in a file or dir in OpenSSL format. The only downside 
of that I see is that you won't honor new inserts (or possibly 
deletes) unless and until you repeat the process.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: SSL_CTX_set_default_verify_paths and Windows?

[Charles Mills]

Dave, thanks much.

OK, SSL_CTX_set_default_verify_paths() won't do anything for me.

 There is definitely an engine for MS CAPI

I ran into some references to capi and e_capi researching this question on
the Google but I could not find any big picture.

 Or of course you could just read the certs from MS truststore and put them
in a file or dir in OpenSSL format

That sounds like the way I will go if the customers want this. I'm not
enough of an expert to undertake the extension. I think I might be able to
do it as a pipe and not have to actually write the files to disk. Maybe.

You know what would be a cool feature for OpenSSL (yeah, LOL, I'm sure you
know a thousand)? If there were an API whereby one could set a callback
routine that would get a particular type of data (certificate, key, CA cert,
CRL, etc.) when OpenSSL needed it. Then it would be pretty trivial to read
the data from some privately known store such as the Windows truststore.

Thanks again. Amazing package. Enjoying working with it for the first time.

Charles

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson
Sent: Friday, August 31, 2012 3:58 PM
To: openssl-users@openssl.org
Subject: RE: SSL_CTX_set_default_verify_paths and Windows?

 From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
 Sent: Friday, 31 August, 2012 12:00
 To: openssl-users@openssl.org
 Subject: SSL_CTX_set_default_verify_paths and Windows?
 
 Is there documentation for SSL_CTX_set_default_verify_paths()? 
 It's declared here http://www.openssl.org/docs/ssl/ssl.html
 but there's no description and no link that I see.

UTSL (although in this case you must go through several layers). 
_set_default_verify is effectively _load_verify_locations using env vars
SSL_CERT_FILE SSL_CERT_DIR if they exist and otherwise
X509_get_default_cert_{file,dir}() which return a compiled-in file and
directory normally file cert.pem and subdir certs under OPENSSLDIR,
which is configurable at build time and can be seen with commandline openssl
version -d .
If you're using the ShiningLight builds (as I am) they seem to make
OPENSSLDIR /usr/local/ssl, a directory that doesn't normally exist on
Windows systems (it does on many Unixes).

It is still a file and/or directory in OpenSSL format, not MS.

 
 I have an application working on Windows using explicit PEM 
 certificate
 files: SSL_CTX_load_verify_locations(SslCtx, myCert.pem, NULL);
 
 My interest is in the possibility of using the built-in 
 certificate store
 in Windows. Is that possible with OpenSSL? Is
 SSL_CTX_set_default_verify_paths() relevant? Is there an overview 
 document somewhere?

1. OpenSSL X509_STORE logic (like several others) is extensible, i.e. you
write code implementing the same interface and plug it in. I'm sure it's
possible to write a store that fetches from MS instead of from a file or
directory like the builtin ones do.

But this looks like a pretty big job. Someone else may already have done
this, but if so I haven't heard or seen of it.

2. OpenSSL has an ENGINE feature that was originally created to handle
hardware devices mostly doing low-level crypto operations (a digest, a
symmetric encrypt or decrypt, a publickey encrypt or decrypt, etc.) It has
gradually been adding more functions, rather like a scifi movie monster
feeding on nuclear bomb radiation. 
There is definitely an engine for MS CAPI, and I thought I had heard mention
that the engine interface was adding at least some truststore function. But
looking in 1.0.1c I don't see any trace of such, so maybe I misunderstood or
maybe it isn't cooked yet.

Or of course you could just read the certs from MS truststore and put them
in a file or dir in OpenSSL format. The only downside of that I see is that
you won't honor new inserts (or possibly
deletes) unless and until you repeat the process.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org