Hello I have some generic questions about usage of openssl for https; i'm not into security, and i 'dont know very well openssl, so maybe my questions will appear a little noob, sorry if it does
Just for info, i'm developping a client app that have to interact with server. I'm on linux and windows, in c++, using libneon. I have to discuss with a server using a self signed certificate (server and clients will be in a LAN, not over internet). I know how to check in my app whether the certificate is valid or not, as it is self-signed and as i didn't configurate nothing special on client side, it is not (not CA trusted). I plan to let user decide whether they want to trust or not, allowing them to add exception (exactly as browsers do) - My first question is : is it safe to store the server certificate on client side, in order to compare it ? I guess it's not since it could be stolen from client side ? > a solution would be to store it as md5 ? Then at each connection, get server certificate, compute md5 and compare ? And if I decided to declare that certificate as safe, I have to put the server certificate as CA certified on client installation, as in link http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl ? But in that way too it could be stolen from client side, am I wrong ? Hope my questions are clear, Thanx in advance for help :)
