Re: X509_verify_cert() wierdness

Fri, 08 Sep 2000 04:12:44 -0700 

Hi all,

I have a problem with an SSL server that uses a self-signed certificate.
Using the standard callback function to check the certificate chain I get
the X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error and if I simply ignore this
specific error then any self-signed certificate is accepted not just those
specified in the X509_STORE.

Searching the archive I found a message from David Marwood who had the same
concern but could not find any answer from the usual gurrus of the OpenSSL
dev list...

So I am left with three questions:

1) is there a security reason for not accepting self-signed certificate as a
SSL server certificate (as shown in the OpenSSL server example).

2) if not, is there an example of code to add to the verify callback to
check that the self-signed certificate is indeed in the X509_STORE.

3) if I add such a code, could I be sure that self-signed certificates do
not bypass some security checking (I have test that expired and not yet
issued certificates checking are not bypassed but there might be things that
I cant think of).

Thank you...

Nicolas Roumiantzeff

P.S. David, if you have solved your problem, and if you are still hooked up
on this list...

-----Message d'origine-----
De : David Marwood <[EMAIL PROTECTED]>
À : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : 1999-10-27 22:23:46
Objet : X509_verify_cert() wierdness


X509_verify_cert doesn't behave as I would have expected...
By default, it will reject any depth-zero-self-signed certificate
(like the one attached).  I don't see why such a certificate should
always be rejected -- they're fine if they're signed by a certificate
in the X509_STORE.  Also, isn't the CA root certificate one of these?

I can use the verify callback to mask any such errors.  However, then
all depth-zero-self-signed certificates are successfully verified
without even consulting the X509_STORE.  Self-signed certificates
should be rejected if they are not signed by the CA (ie. they are notthe
CA).
David Marwood

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to