Hi Konrad: Konrad Kleine wrote: > I also posted this question on the users mailing list. > > Hello, > > we are writing an client/server-application in C/C++ using OpenSSL. > <SNIP>
> That's fine, but is it possible to verify the server's certificate on > client side by specifying a whole directory or a perhaps the copy of the > server's certificate file directly? > > In our examples, verification fails if we don't specify a file that > contains the CA certificate among others. > This is actually correct behaviour - in order to check a certificates validity, you need to check: 1: That it was signed by a "trusted" CA 2: That it is in it's validity period 3: That it isn't revoked. 4: That it is being used according to any critical extensions. 5: You SHOULD check and make sure that non-critical extensions are obeyed as well. 6: That it was issued according to a Certificate Policy that you have chosen. The OpenSSL verification routines do a fairly good job of handling 1,2,3,and 4, although you have to supply your own code to handle CRL Distribution Points and the actual downloading of the CRL, you have to provide an already built trust path, since AIA chasing isn't possible directly from within the OpenSSL Verification routines (which is probably a good thing :), and there are only a small number of critical fields that OpenSSL can handle by default. To handle the full set of requirements, including 5 and 6, you have to implement custom routines yourself, or use something like Pathfinder (http://pathfinder-pki.googlecode.com). So, you should be providing the CA that signed the Server cert to the client (or else, how do you know and trust the signature in the server certificate ??). Just checking the server certificate doesn't actually get you anything (if you are just going to do that, don't use certificates, and just use some form of shared secret). Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
