Yunhong Li wrote:
>
> > o Steve is currently working on (in no particular order):
> > Proper (or at least usable) certificate chain verification.
>
> I thought this is already working in 0.9.4.
> SSL_CTX_use_certificate_chain_file
> will load the cert chain for server cert chain. SSL_CTX_set_verify and
> SSL_CTX_set_default_verify_paths will verify the client cert chain. What I
> am
> missing?
>
Chain verification is when you have a certificate chain and want to
verify it.
Currently the only safe way to verify things is to keep everything but
the end user ("leaf") certificate locally and don't take any notice of
any untrusted CA certificates passed in. This is done in several ways at
an application level. Even then you could still do things like use
client certificates as servers and other similar problems.
Proper chain verification checks the certificates can be used for the
purpose you are trying to use them for and verifies the untrusted CA
certificates really are CA certificates.
Put briefly it involves doing various consistency checks on the
extensions of the certificates and including various work arounds so the
various broken certificates still work.
Getting this going needed a lot of work. It's present in the latest
snapshot but still needs extensive testing. The real test I suspect will
be when OpenSSL 0.9.5 gets released...
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
