Urjit Gokhale schrieb:
It's important to realize that the client decides wether to accept a server's certificate or not!Hello,Could someone help me understand what is happening here?
If you want OpenSSL to do "the standard client's job" (that is, check if the server has a certificate, the certificate is correct and signed by a CA defined in a CAFile or CA directory) you have to tell the library to do so using SSL_CTX_set_verify with the flags SSL_VERIFY_PEER and SSL_VERIFY_FAIL_IF_NO_PEER_CERT, like Alexis wrote below, as well as by defining the list of acceptable CAs by calling SSL_CTX_load_verify_locations.
Otherwise your client will accept every certificate. Or even a connection without certificate.
See http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html and http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html for some more info.
Hope it helps. Ted ;)
~ Urjit----- Original Message ----- From: "Urjit Gokhale" <[EMAIL PROTECTED]>To: <openssl-users@openssl.org> Sent: Thursday, January 18, 2007 9:13 PM Subject: Re: My ssl client connects without the knowledge of root CA certificateNo. The function call sequence in the client goes like: SSL_load_error_strings() SSL_library_init() SSL_CTX_new() SSL_new() SSL_set_cipher_list() SSL_set_fd() SSL_connect() and then the client continues with SSL_read() and SSL_write(). I still wonder how my client manages to do a successful SSL_connect! Anyway, thanks for the reply, ~ Urjit----- Original Message ----- From: "Alexis Lefort" <[EMAIL PROTECTED]>To: <openssl-users@openssl.org> Sent: Thursday, January 18, 2007 2:43 PM Subject: Re: My ssl client connects without the knowledge of root CA certificate Hi, Do you use: SSL_CTX_set_verify (sslctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); If not it is probably the solution ;) Alexis Urjit Gokhale a écrit :Hi, I have a sample SSLized client server program. I am not using SSL_CTX_load_verify_locations() in the client and still my client is able to connect to the server. I wonder how this could be possible. How would the client be able to authenticate the server certificate without the knowledge of the root CA certificate that signed the server certificate. The server certificate, as far as I know, is not self signed. (server certificate file is attached). Could someone explain to how my client connects to the server without the knowledge of the root CA? Could someone list down the necessary and sufficient conditions, for a certificate to be considered as self-signed? Thank you, ~ Urjitmails.-- Alexis Lefort
-- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
