Hi Rene: Rene Hollan wrote: > > 2) Things like OCSP, CRLs, and other SSL "extensions" have always > stumped me. Is it something the user of the library is responsible > for, when validating a cert, or can the library do it itself when I > try to establish an SSL connection, and to what degree can I control > this? It always struck me that the cert validation callback is the > place to do this, but I take heed of the fact that openssl is > supposed to have a reasonable default cert validation routine and not > to replace it without good reason. > This really has nothing to do with OpenSSL - or at least, only tangentially - If you don't understand the basics of how the IETF and ITU have defined X.509 and the Internet profiles, then no amount of OpenSSL documentation is going to save you.
If you read the specifications, you can very easily see that not only does OpenSSL not do every kind of validation under the sun, you probably wouldn't want it to (do you really want OpenSSL implementing a full HTTP stack in the crypto library just so that it can chase AIA, OCSP and CRLDP?) - So until one has a fuller understanding of exactly how the X.509 path discovery and validation process works, then it is very difficult to see where OpenSSL should fit in this. The current documentation, I think, for X509_verify and friends is, while not perfect, certainly adequate for anyone that knows exactly what they are doing to "do the right thing" (it was certainly fine for us when writing Pathfinder and WvStreams). Please don't confuse "OpenSSL needs more documentation", with "The IETF and others should work harder to ensure that there are better examples and tutorials out there so that people implement PKI (and by extension TLS/SSL) properly". And I agree with Victor - unless someone from the core OpenSSL team steps up, or someone volunteers to set up some sort of Wiki and pay for someone to spend a lot of time writing documentation, then I think this thread has gotten about as far as it can. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
