Hi -
I have been for some time trying to figure out how to do certificate
verification with the Net::SSLeay perl module. Unfortunately there is no
documentation on this anywhere in the module, and the one sample program
which uses callbacks does not fail if it is an invalid cert. Also
unfortunately, I can not find very much good documentation in general on how
to do this, so i apologize if I do not explain my problem very well.
Basically what I am trying to do is this:
/usr/local/ssl/bin/openssl s_client -connect www.equifax.com:443 -verify
-1 -CApath .
With a thawte certificate and hashed symlink in the local directory, but in
a perl script. The trick here is the -1 verification, I want this perl
script to fail unless it can have -1 verification (sorry if incorrect term).
Right now, the callback.pl script verifies at 1, so it will verify any site
you connect to provided only you have some (any) cert. How do i get it to
only verify if it can trace the cert chain back up to, say thawte? Here is
a copy of the verify function (and what sets it) also.
$ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!");
Net::SSLeay::CTX_set_default_verify_paths($ctx);
Net::SSLeay::CTX_load_verify_locations($ctx, '', $cert_dir)
or die_now("CTX load verify loc=`$cert_dir' $!");
Net::SSLeay::CTX_set_verify($ctx, 0, \&verify);
die_if_ssl_error('callback: ctx set verify');
sub verify {
my ($ok, $x509_store_ctx) = @_;
print "**** Verify called ($ok)\n";
my $x = Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx);
if ($x) {
print "Certificate:\n";
print " Subject Name: "
. Net::SSLeay::X509_NAME_oneline(
Net::SSLeay::X509_get_subject_name($x))
. "\n";
print " Issuer Name: "
. Net::SSLeay::X509_NAME_oneline(
Net::SSLeay::X509_get_issuer_name($x))
. "\n";
}
$callback_called++;
return $ok; #$ok; # 1=accept cert, 0=reject
}
When I run this without the thawte certificate, while connecting to
mycio.com (issued by equifax, issued by thawte), verify is called, and
returns:
**** Verify called (0)
Certificate:
Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
**** Verify called (1)
Certificate:
Subject Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
**** Verify called (1)
Certificate:
Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
**** Verify called (1)
Certificate:
Subject Name: /C=US/ST=California/L=Santa Clara/O=Network
Associates/OU=myCIO.com/CN=www.mycio.com
Issuer Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2
However, when I try to connect to a site using a snakeoil cert, it returns
**** Verify called (0)
Certificate:
Subject Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
[EMAIL PROTECTED]
Issuer Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
[EMAIL PROTECTED]
**** Verify called (1)
Certificate:
Subject Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
[EMAIL PROTECTED]
Issuer Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
[EMAIL PROTECTED]
And still verifies. What do I need to do? Once again, I apologize if this
sounds silly, but I can not find _any_ good documentation about this, and I
have never done any C openssl stuff. Thanks.
-Ian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
