Greetings,
I am writing a client/server app in which the client needs to validate
that the server it is connecting to is actually who it claims to be.
The server is using a self-signed certificate. The logic would
(hopefully) be along the lines of:
1. establish an SSL connection to a server
2. get their certificate
3. verify that it matches the certificate I have stored locally
4. if not, break the connection, otherwise proceed
Esentially what I want to do is strcmp() the certificate I receive
with my local one, but of course that's incredibly easy to spoof.
Currently the only option I can see is to generate some garbage data on
the server side, encrypt that with the private key, send both the garbage
and the encrypted garbage (signature) to the client, then have the client
decrypt those with the public key and make sure they match.
This seems like something that would be built into the SSL negotiation,
however there are a huge list of functions, most of which are undocumented.
I can't seem to figure which one(s) I would want to use.
There is a bunch of stuff related to tracing back "trusted" certificates,
but I really only want one certificate to be valid, one that I include
in my code as a static string.
Any tips much appreciated.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
