> This helps. Thanks. Also, checking if the certificate is issued/signed > by a certificate authority that I trust is done during the call to > SSL_connect/accept right? At least it seems to be.
SSL_get_verify_result will let you know if the certificate is well-formed, properly signed, and issued by a CA you trust. After that, pretty much all you need to do is decide whether that certificate was issued to someone who is supposed to access the resource. How you do that depends upon several factors. For example, if you only trust CAs specifically designed for this application, you could have a certificate extension that lists what the certificate is used for or whose mere existence indicates permission to access this server. If you use public CAs, then you may wish to extract the identity and check it against a list. It really depends a lot on the details of your application and why you are checking the peer in the first place. I believe Apache pretty much just makes sure the certificate passes the basic validity checks and stashes the certificate information where scripts and modules can easily find it so they can make their own allow/disallow/restrict decisions. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
