Ian Alderman wrote:
>
> I'm trying to use 'openssl verify' to verify a certificate chain for
> which I have (and trust) the root CA certificate.
>
> Verify just returns 'OK' whenever there's any self-signed certificate
> anywhere in the certificate chain. I can't figure out how to specify
> that my root CA certificate is the only acceptable one. Any ideas?
>
'verify' is a demonstration application and it does various things that
wouldn't happen in a "real" application. For example on any error it
carries on after printing a warning. A real application would fail the
verify after any error.
> Suppose I'm trying to authenticate something using verify. All they
> have to do is give me a self-signed certificate and it verifies fine.
> This doesn't seem too secure. How can I prevent this?
>
With something like SSL this wouldn't happen: you would get an error.
One of the problems with some of the verify code is that it has several
"quirks". These work fine provided the verify code is used in an
"approved" way but can cause problems in some cases.
I'm currently reviewing the way the verify code works. I'd initially
thought of just patching up what is already there. I've reluctantly come
to the conclusion that it needs rewriting while retaining (where
possible and sensible) compatability with the original behaviour.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
