On Tue, Nov 20, 2001 at 05:45:32PM -0800, ct l wrote:
> > Do not access members of the SSL object (ssl->...)
> > directly, as these
> > structures may change. Please use the offical API
> > SSL_get_peer_certificate(),
> > SSL_get_peer_cert_chain() to obtain the
> > X509 objects. You can then simply write them to file
> > using the
> > PEM_write_X509()/PEM_write_bio_X509() function.
>
> I managed to the peer/server cert in my
> verify_callback in physical PEM file format, using:
> X509_STORE_CTX_get_current_cert();
> PEM_write_X509();
>
> During subsequent authentication, I tried to load the
> saved file (say filename.pem) using
> verify_load_location(,"filename.pem", NULL), hoping
> that during client authentication with the same server
> in future, server cert can be verified correctly
> against the saved file. However, it still complains in
> verify_callback that peer cert by server is untrusted.
Ah! For the verification to succeed, you must capture the CA chain
including the root certificate. OpenSSL's verification routines by
now do not allow single peer certificates to be handled. The chain
must always be complete.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
