Certificate chain question

Sat, 09 Feb 2013 09:16:28 -0800 

I'm not a professional C programmer, but I occasionaly use C to create
administrative "scripts". I'm sorry
if I'm asking for anything trivial and will be very thankful if You
direct me to the relevant documentation.

The question:
I'm trying to obtain SSL certificate for POP3S server of live.com to
use with POP3S library (libspopc).

openssl s_client -connect pop3.live.com:995 -showcerts

produces:

CONNECTED(00000003)
depth=2 CN = Microsoft Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=pop3.live.com
   i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure
Server Authority
-----BEGIN CERTIFICATE-----
............................................................
-----END CERTIFICATE-----
 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure
Server Authority
   i:/CN=Microsoft Internet Authority
-----BEGIN CERTIFICATE-----
..........................................................
-----END CERTIFICATE-----
 2 s:/CN=Microsoft Internet Authority
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
-----BEGIN CERTIFICATE-----
..............................................................
-----END CERTIFICATE-----

So we have CybertTrust Global Root ------signs-----> Microsoft
Internet Authority-----signs-----> Microsoft Secure Server Authority
-------signs-----> pop3.live.com
                    (valid until 2018)
        (valid until 2014)                                      (valid
until mid-2013)

I had the smart idea of adding the CyberTrust Global Root to my
embedded application and use it to validate the certificate chain.
There is a problem though. If CyberTrust Global Root signs other
certificates, this verification will result any certificate, signed by
CyberTrust to be valid.
How should I approach towards a solution of this problem. Look at CNs?
What if something like this happens

CyberTrust Global Root -------------------> Signs --------------> Some
Private Org -----------Signs fake ------------> pop3.live.com

For example my POP3S library doesn't seem to mind if the address i'm
connecting is something different than pop3.live.com:995. I did a
little manipulation of
/etc/hosts and now I'm able to connect to the same server (same IP)
under different domain name.
Are there some standard library functions that automate this process.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to