Re: how to use diffrent certificate chain for every client in my SSL server (API)

Fri, 03 Aug 2012 04:26:23 -0700 

On Fri, Aug 03, 2012, Saurabh Pandya wrote:

> Hi all,
> 
> I am using server certificate "X" problematically with following API for each
> SSL * session. X is dynamically generated for each client, when its CA(s)
> as always same.
> 
>          SSL_use_certificate(this_ssl, X);
> 
> It works fine when there is single CA certificate "A" who sign "X",
> 
> but when I want to use intermediate CA "B" child of "A", then
> I am sure above API wont work.
> 
> To make it work I found following APIs from documentation.
>   1) int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
>   2) long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509)
>   3) int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
> 
> But seems 1 & 2 both works only on SSL_CTX *while I need API that work on SSL 
> *
> , I want to give different certificate chain for each client.
> 
> And 3 wont be applicable for me as I am loading certificates from memory and 
> not
> from the file.
> 
> Have anybody any idea how to load several certificates to SSL *ssl, to form
> complete Chain (note: I have my all CA certificates "A" and "B" in memory).
> 

For currently released versions of OpenSSL this isn't possible directly: there
is one chain of extra certificates which is associated with the parent SSL_CTX.

The latest HEAD code supports per SSL chains and indeed distinct chains per
certificate type. That functionality will most likely be ported to OpenSSL
1.0.2 at some point before it is released.

For released versions of OpenSSL there is a workaround to add all the CA
certificates you might need to the parent SSL_CTX trusted store. Then when a
connection is established the chain is built up automatically using the
correct chain.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to