Hi Vadim,
Thanks for your reply.
I managed things to work but I just want to confirm.
I use the SSL_CTX_use_certificate_chain_file (sslContext, certfile) method,
while sslcontext is
the: SSL_CTX *sslContext and certfile is the path: "c:\\
...\\srvcert.pem".
srvcert.pem file contains the certificate of the server and all it's
"certificate path" certificates
except its root certificate which must be installed on the browser.
If the file contains only the server certificate then I get a pop up on the
browser that this is not a trusted site.
I assume that this is because the browser can't make the connection between
the server certificate that I send him and the root certificate that it
holds.
Is this the most accurate and right way to work ?
Best Regards,
Itai Levy,
Software Developer R&D
Algorithmic Research Ltd. ( Data Security Across the Enterprise )
10 Nevatim st., Kiryat Matalon
Petah Tikva 49561
Israel
Tel: +972-3-9279514
e-mail:[EMAIL PROTECTED]
http://www.arx.com
-----Original Message-----
From: Vadim Fedukovich [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 04, 2000 2:14 PM
To: Levy itai
Subject: Re: chain certificate
On Tue, Jul 04, 2000 at 10:35:12AM +0200, Levy itai wrote:
> Hi,
>
> I thought that verify locations is for the use of verifying client
> certificates.
It is for any certificate verification. Another example is SSL client
verifying server's certificate.
> If I'm wrong, could you please tell me how do I use the
> SSL_CTX_load_verify_locations method.
> I succeeded to load a chain of certificates using the
> SSL_CTX_use_certificate_chain_file (sslContext, certfile) method.
> It is working with all the browsers. Now I'm a little bit confused.
Hi Levy,
let's review goals first: any verification needs something to trust
coming from own hard drive, not network. "Verify location" is to specify
where (from HDD) to pickup CA's certificate.
Next, look at the code:
SSL_CTX_load_verify_locations() is just X509_STORE_load_locations() and
the latter is to specify "A file" and "A directory" for 2 certificate
pickup methods implemented in openssl: load them from a file and pickup
using hash'es.
SSL_CTX_use_certificate_chain_file() goal is completly different
(citing ssl/ssl_rsa.c): "Read a file that contains our certificate...
that should be sent to the peer in the Certificate message".
Regarding 2 methods mentioned: "Using a file" is simple and I'd suggest
using it. Just specify a file holding top-level CA certificate and
use NULL for directory ("Using hashes" method).
Hope this helps a bit. I'm interested in openssl- or crypto-related
consulting or development and willing to travel.
best wishes,
Vadim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
