On Nov 30, 2005, at 8:24 PM, Victor Duchovni wrote:
Yes, but the verification is optional just tell SSL that the certs verify OK. Postfix only uses fingerprints of verified clients, but youdon't have to do that. The machinery is much the same. In the Postfix client,the server verification is optional.
Okay, but I need to do _some_ verification:- I need to check that the remote peer has provided a self-signed cert.
Can I do that by checking that like this?
static int
verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
if (X509_STORE_CTX_get_error(ctx)
!= X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
fail();
- I need to check that that cert is in fact self-signed. Can I do it
like this?
X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
if (!X509_verify(err_cert, X509_PUBKEY_get(err_cert-
>cert_info->key)))
failure();
- I need to get the public key with which it was signed,
presumably like
this: X509_PUBKEY_get(err_cert->cert_info->key))
And how do I get SSL_get_peer_certificate() to return non-NULL later
on? There doesn't seem to be a corresponding set function.
Thanks a bunch for the quick responses!
Sean
--
Human beings were created by water to transport it uphill.
-- Unix fortune
PGP.sig
Description: This is a digitally signed message part
