Re: Trusting a server certificate
Hi,Can anyone please help me on the below question?Thanks,Ravi.On 8/3/06, ravi shankar [EMAIL PROTECTED] wrote:Hi,I am new to openssl. How do we tell the SSL client to trust the server certificate in advance using openssl APIs. For example, when we have the trusted root from the webserver, we can use SSL_CTX_set_verify_locations function to tell the client to trust the server certificate if it matches the trusted root. But when we have only the server certificate(before making the connection itself) instead of the trusted root, which function can be used to tell the ssl client to trust the server certificate? Can any one explain me? Thanks,Ravi.
Re: Trusting a server certificate
Hello, Can anyone please help me on the below question? Thanks, Ravi. On 8/3/06, ravi shankar [EMAIL PROTECTED] wrote: Hi, I am new to openssl. How do we tell the SSL client to trust the server certificate in advance using openssl APIs. For example, when we have the trusted root from the webserver, we can use SSL_CTX_set_verify_locations function to tell the client to trust the server certificate if it matches the trusted root. But when we have only the server certificate(before making the connection itself) instead of the trusted root, which function can be used to tell the ssl client to trust the server certificate? Can any one explain me? I'm not sure if there is such API in OpenSSL, but ... if you already have server certificate and you want trust only this server, you may connect to this server (SSL_connect()) without peer authentication, after successful SSL connection, at your application layer you may get server certificate using SSL_get_peer_certificate(), calculate, for example, message digest of this certificate and compare with message digest of certificate that you already have, if comparing will be successful you proceed, if not - simply shutdown SSL connection. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Trusting a server certificate
Wouldn't it be sufficient use SSL_CTX_set_verify_locations to point to the server's certificate itself ? I thought the verification process would accept the certificate as long as one of the certificates in the chain is trusted, even if it is the last one. Or first, depending on how you see it. Marek Marcola wrote: Hello, Can anyone please help me on the below question? Thanks, Ravi. On 8/3/06, ravi shankar [EMAIL PROTECTED] wrote: Hi, I am new to openssl. How do we tell the SSL client to trust the server certificate in advance using openssl APIs. For example, when we have the trusted root from the webserver, we can use SSL_CTX_set_verify_locations function to tell the client to trust the server certificate if it matches the trusted root. But when we have only the server certificate(before making the connection itself) instead of the trusted root, which function can be used to tell the ssl client to trust the server certificate? Can any one explain me? I'm not sure if there is such API in OpenSSL, but ... if you already have server certificate and you want trust only this server, you may connect to this server (SSL_connect()) without peer authentication, after successful SSL connection, at your application layer you may get server certificate using SSL_get_peer_certificate(), calculate, for example, message digest of this certificate and compare with message digest of certificate that you already have, if comparing will be successful you proceed, if not - simply shutdown SSL connection. Best regards, -- Alain Damiral, I hope this message makes me look like a very intelligent person __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Trusting a server certificate
Hello, Wouldn't it be sufficient use SSL_CTX_set_verify_locations to point to the server's certificate itself ? I thought the verification process would accept the certificate as long as one of the certificates in the chain is trusted, even if it is the last one. Or first, depending on how you see it. This may be very easy verified: $ openssl verify -CAfile vpn-server-crt.pem vpn-server-crt.pem vpn-server-crt.pem: /C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom Admin/CN=VPN Server error 20 at 0 depth lookup:unable to get local issuer certificate Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Trusting a server certificate
Hi,I am new to openssl. How do we tell the SSL client to trust the server certificate in advance using openssl APIs. For example, when we have the trusted root from the webserver, we can use SSL_CTX_set_verify_locations function to tell the client to trust the server certificate if it matches the trusted root. But when we have only the server certificate(before making the connection itself) instead of the trusted root, which function can be used to tell the ssl client to trust the server certificate? Can any one explain me? Thanks,Ravi.