> I've doing the same task, and have found it easiest using the
> simple client
> example in the demos\ssl directory - s_client is reasonably
> complex for what
> is a reasonably simple task.
me too...
> What I don't understand is how to authenticate the server
> once the secure
> connection has been established - In theory, I believe, it
> could be any
> secure server using any snakeoil CA that I have connected to.
I am trying to figure this out myself. what i think you have to do is embed
some CA certificate (the public key???) into your client application. Then
somehow that is checked against the servers certificate which was produced
by the private key CA.
Can someone please clarify this, and how it relates to OpenSSL calls?
At the moment what I'm doing is not working:
Initialise()
{
...
SSL_CTX_set_verify(mSSLctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
if ((!SSL_CTX_load_verify_locations(mSSLctx, "d:\\windows\\key.pem",
NULL)) ||
(!SSL_CTX_set_default_verify_paths(mSSLctx)))
{
return FAILED;
}
...
}
It's probably not working because i'm not using the right key.pem or
something, or because i'm missing some other OpenSSL call that is essential
for this to work.
what's happening is that verify_cb(int ok, X509... *ctx) is being called
with ok = 0. all it does is return ok, and the connect fails.
> Is there an standard method for a client to authenticate a server & a
> server's CA? It seems to be a basic enough function, but I
> keep getting
> lost in the headers.
I hope there is.
> Is it enough just to parse the details provided by
> X509_get_issuer_name (server_cert) ? (I don't think so)
No it isn't, but it's probably a good idea.
> The mysterious comment in cli.cpp:
>
> /* We could do all sorts of certificate verification stuff
> here before
> deallocating the certificate. */
>
> tells me I'm missing something.
Hmmm. I wonder if "all sorts of stuff" should be done in the client
connect/write/read function, or the verify callback function? At the moment
i don't do any issuer/subject name validation because i'm just trying to get
the cert verification going.
Hope this was slightly helpful.
Ben Wooller
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
