On Mon, Feb 12, 2007, Marek Marcola wrote: > Hello, > > I have a secure connection with a buffered BIO, and after the connection > > is established, I want to verify (on th eClient) the Servers > > certificate with a Root-CA. > > How can I do this with openssl? > With functions like: > > cert = SSL_get_peer_certificate(ssl); > X509_STORE_load_locations(CAcerts, file, NULL) > X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, NULL); > X509_verify_cert(&ca_ctx); >
You would additionally have to set an appropriate purpose (SSL server typically) and include the whole chain, not just the peer certificate. That is handled automatically if verification is enabled on the SSL context itself. The host name should also be verified against the certificate. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
