Re: How to verify server side certificate ?

Mon, 18 Dec 2000 02:34:36 -0800 

On Mon, Dec 18, 2000 at 10:01:56AM +0800, [EMAIL PROTECTED] wrote:
> hi all, I am a newbie on openssl .I don't know how to verify server side 
> cerificiate. In the cli.cpp that shiped with openssl I find the way to get 
> server's certificate info as follow:
> 
>   /* Get server's certificate (note: beware of dynamic allocation) - opt 
> */
> 
>   server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
>   printf ("Server certificate:\n");
>  
>   str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
>   CHK_NULL(str);
>   printf ("\t subject: %s\n", str);
>   Free (str);
> 
>   str = X509_NAME_oneline (X509_get_issuer_name  (server_cert),0,0);
>   CHK_NULL(str);
>   printf ("\t issuer: %s\n", str);
>   Free (str);
> 
>   /* We could do all sorts of certificate verification stuff here before
>      deallocating the certificate. */
> 
>   X509_free (server_cert);
> How to do certificate verification stuff here?

The verification of the certificate was already performed by OpenSSL for
you. Do a SSL_get_verify_result() to query the result of the verification
process. Manual pages for SSL_get_verify_result and SSL_get_peer_certificate
are available (at least on www.openssl.org, as documentation is work in
progress).
What is left for you is to verify the server name against the certificate
contents (you want to know whether your peer matches your expectations).
This is typically done by checking the CommonName in the certificate against
the hostname you used for opening the connection. To obtain the CommonName
the following function can be used:
char CNbuffer[CCERT_BUFSIZ];
X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
                          NID_commonName, CNbuffer, CCERT_BUFSIZ);

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to