Hi,
> It is still better to have a CA that signs certificates,
> there are some
> technical reasons in openssl,
> it is simpler to program the trust checking, in fact with self signed
> certs you need callbacks
> to accept them, while with a "trusted" CA, you don't.
This has put "a spanner in the works" for me. Can you point me to some
code samples to handle this?
This is what I have done in my code at present for authentication (error
handling omitted for brevity):
/* 1. Load certificate chain. */
err = SSL_CTX_use_certificate_chain_file(_ctx_g, certpath);
/* 2. Load private key. */
/* Disable password callback. */
SSL_CTX_set_default_passwd_cb(_ctx_g, NULL);
err = SSL_CTX_use_PrivateKey_file(_ctx_g, keypath,
SSL_FILETYPE_PEM);
/* 3. Check private key */
err = SSL_CTX_check_private_key(_ctx_g);
/* 4. Verify client? */
if (mode & SSL_MODE_VERIFY)
{
if (cafile || capath)
{
err = SSL_CTX_load_verify_locations(_ctx_g, cafile, capath);
}
err = SSL_CTX_set_default_verify_paths(_ctx_g);
SSL_CTX_set_verify(_ctx_g,
SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
SSL_CTX_set_verify_depth(_ctx_g, 1);
}
if (cilist)
{
err = SSL_CTX_set_cipher_list(_ctx_g, cilist);
}
Regards,
Mark
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
