Hi Goetz, Thanks again for replying to my questions ;-)
> > I have read the manual page ;-) However I don't understand the full > > implications of using or not using this function in a server. If I > > use it what does the client do with it? Does the client still need > > a copy of the root certificate or is this provided automatically by > > the server? The O'Reilly Book makes no mention of this function > > that I can find. > > ??? > Root cert for what ? > For his own cert ? > To verify that he is himself ? Our application is a client/server application for which we (i.e. the server) need to authenticate the client (users) and hence we are the only CA allowed. This is not a public application so the server and all the client certs are signed by us. Client authorisation is very important for us. We (well me) will be developing all the server software and a API for the client applications. I have already written a prototype with much help from this list, but I need to understand how to make the communications properly secure. > The root cert is needed by that side of the communication that wants > to verify the certificate presented by the other side. > > * If the client wants to verify that he really is talking to > the server he wants to talk to, > he needs the root cert of the cert chain that signed the server > cert. > * If the server wants to verify the client certificate, > he needs the root certificate of the chain that signed the > client certificate (if he also needs the intermediate > certificates or if the client sends them, I don't know) > And since the server initiates the verify he sends a list > of names of CA certificates he accepts for verify. I guess what I really want to know what would happen if I don't use the SSL_CTX_set_client_CA_list() function. The manual page seems to suggest there is a default value but I don't know what it is. > Since both sides use the root certificate as ultimate foundation > of trust, both sides need the root certificates they trust locally. > (And should discard all root certificates the peer sent) > > > > Do I need to program the client side any differently? > > If you want to be able to use more than one client certificate > (depending on what the server wants), > you have to set an client_cert_callback. > In it you fetch the list of accepted CA certificates > the server sent with SSL_get_client_CA_list(), > determine which cert (and key) you want to use, > set it with the appropriate functions and return the callback. Each client will only have one certificate. Do I need to use a client cert callback in this case? I am very confused about which callbacks are necessary and what exactly has to be done in them. > > Does SSL_load_client_CA_file() load the relevent > information from the > > root certificate or do I have to do something else to get this info? > > On client side or server side ? > It is not for use on client side. > You can use it on server side to load > the list of CA names the server accepts > (if he points his verify data to this file) On the server side. I guess this all boils down to what default CA list OpenSSL uses? Thanks again, Mark ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
