Thanks Lutz,
I'm incorporating OpenSSL into a web browser and what I'm really after is a behavior
similar to the other browsers around i.e. when an untrusted site is visited the user
is warned but also gets the option to 'install' the received server certificate so
that the next time the site is visited the warning is not displayed (I should have
mentioned this before, sorry)
As you say if I the peer sends the certificate chain then the verify error changes to
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but I don't think this is the behavior I need
(also its up to the web server whether it sends the chain, I believe)
Should I be storing these 'installed' web server certificates in a different file from
the CA list and when I receive a peer certificate which cannot be verified against the
CA list, then manually search through the other file to try and match the certificates
that way ? If so what's the best way to accomplish this ?
Graeme
>>> [EMAIL PROTECTED] 03/04/01 17:25:21 >>>
On Tue, Apr 03, 2001 at 04:38:27PM +0100, Graeme English wrote:
> I now want to choose to trust this server so I thought I could do something like
>this -
>
> X509 *server_cert;
> BIO *cout;
> cout = BIO_new(BIO_s_file());
> if (BIO_append_filename(cout, (void *)CERT_STORE) <= 0) {
> //
> }
> server_cert = SSL_get_peer_certificate (_ssl);
> X509_print(cout, server_cert);
> PEM_write_bio_X509(cout, server_cert);
> X509_free(server_cert);
> BIO_free(cout);
>
> so that next time the servers certificate would be found, but I still get the
>X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This is presumably because it is the
>issuer (CA) of the received server certificate that being searched for.
>
> How do I set things up to trust the server certificate ?
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY means that the verification
routined could not get the issuer certificate by any means, it was not
included in the certificate chain sent _and_ it was not available locally.
(It is ok for the chain to leave out the toplevel CA, because when it is
trusted, it is available locally anyway.)
Therefore you cannot access the missing CA cert as it is missing :-)
Make sure that the peer sends the complete chain. You will see that
the chain is complete, when the verification error becomes
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
