When my client connects to a server for the first time and the server responds with a certificate that has been issued by an unknown authority, I want to present the server certificate to the user and ask them if they want to trust this certificate. On subsequent connects we should go through just fine. This is what web browsers do, for example Firefox.
It seems like I can't just add that server certificate to the client's list of CA certificates and expect this to work. So my current thinking is that I need to create a custom verify function, and set it with SSL_CTX_set_verify(). Then, if the certificate verify failed (like it would in this case), ask the user. If yes, change the failure code to success, and store the server certificate so we can check new connects against the list of user approved certs. I should be able to just match the hash of the certificates, I presume. Does this seem correct, or are there better/other ways? PS. It seems like this would be frequent enough need that there should be something like SSL_CTX_load_peer_certificates(), SSL_CTX_add_peer_certificate() without requiring everyone to write custom (and error prone) verification routines. Assuming my approach above is correct, of course. -- Heikki Toivonen
signature.asc
Description: OpenPGP digital signature
