On Wed, 11 Oct 2000, Adam Wiggins wrote:
>
> Greetings,
>
> I am writing a client/server app in which the client needs to validate
> that the server it is connecting to is actually who it claims to be.
> The server is using a self-signed certificate. The logic would
> (hopefully) be along the lines of:
>
> 1. establish an SSL connection to a server
> 2. get their certificate
you might want to take a look at SSL specs to learn what exactly "get"
means. it's not "login: " query!
dont reinvent the wheel with "garbage" (later)
> 3. verify that it matches the certificate I have stored locally
> 4. if not, break the connection, otherwise proceed
>
> Esentially what I want to do is strcmp() the certificate I receive
> with my local one, but of course that's incredibly easy to spoof.
>
> Currently the only option I can see is to generate some garbage data on
> the server side, encrypt that with the private key, send both the garbage
> and the encrypted garbage (signature) to the client, then have the client
> decrypt those with the public key and make sure they match.
one is not required to send the "garbage". if the other side can decrypt
and use to keep talking, that's enough to prove holding right private key
> This seems like something that would be built into the SSL negotiation,
> however there are a huge list of functions, most of which are undocumented.
> I can't seem to figure which one(s) I would want to use.
>
> There is a bunch of stuff related to tracing back "trusted" certificates,
> but I really only want one certificate to be valid, one that I include
> in my code as a static string.
most likely you mean some criteria while writing "valid" and that
list of conditions not always the same for different people/projects.
that's the reason for "bunch of stuff" implemented
> Any tips much appreciated.
most likely X509_cmp() will be good to ensure "certificate is the same"
good luck,
Vadim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
