Hi Anri: Anri Lau wrote: > Hi All, > > Anyone know how many rules should be performed when build TLS connection? > I have some test case. The certificate time is not valid, validation failed. > But the certificate passed if the validity dates of the child certificate > are not contained within the validity > dates of the parent certificate. > > As i know, both of above are the standard rules of digital certificate. > > So, which rules will be performed in OpenSSL, when build the TLS connection. > > I believe that the above are what is performed, as well as, if you provide the appropriate information, CRL validation (and, I believe, OCSP can be added into the mix)...
However, OpenSSL does not *YET* perform full RFC3280 compliant Path Validation and Discovery (checking for Name Constraints, Policy compliance and mapping, AIA Chasing, etc.) - for that you need to either do all of the implementation yourself, or use a tool like Pathfinder (http://www.carillon.ca/products/pathfinder.php) that performs all of this validation for you, and which ties into the OpenSSL certificate verification callback. Depending on the complexity of your trust environment (Pathfinder was written to handle just about every case, including complex Bridge PKI environments), you may not need that, and simply ensure that your code reads the CRL Distribution point information in the certificate, and either fetches the CRL, or uses a cached, but still valid copy of the CRL, as then rely on the reasonably complete (for a simple trust environment) implementation that is currently in part of the stock certificate verification callback. Have fun. -- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
