This is a protocol called OCSP, with its "designated responder" mechanism.
If you want to implement it, call the OCSP functions with the DR address and the fields that OCSP needs during the SSL_CTX_set_verify() callback invocation; if you really need to, create two separate SSL_CTX contexts, one of which calls a function to check the certificate status, the other of which always passes (so that the DR certificate doesn't need to be in the client's local store). Note that I consider this insecure. First, the denial of service potential (the DR goes down). Second, man-in-the-middle or redirection attacks (the DR is replaced by a bogus one). Third, the entire point of X.509 is to allow for clients to have all the information they need to verify certificates in the absence of an online authority. For more information I suggest you read the cryptographic literature for the protocols that exist. -Kyle H On Mon, Apr 6, 2009 at 8:18 AM, Vijay Kothamasu (vikotham) <vikot...@cisco.com> wrote: > Hi, > > I am just wondering if there is a way to realize the following scenario with > the help of OpenSSL libraries, here is the brief explanation in this regard. > > --------------------------------- > I have a client and Server who need to setup a secure connection using > TLS/SSL. But as part of handshake Server sends its certificate to the > Client. But Client doesn't have any certificates with it to Authenticate the > certificate, rather it needs to communicate (a non-blocking call )with > another entity(like Certificate Authority (CA) ) to get the certificate > validated. This CA will look through its list of certificates to > authenticate the it and inform back to the Client in an Asynchronous > manner(may be some callback) that the certificate is valid. Now the Client > will proceed further with the Server to complete the Handshake and setup the > connection. > > Here is a pictorial description of this scenario for better clarity > > > --------------------------------- > > I went through the available documentation, to the best of my understanding > I couldn't find the library APIs(SSL/BIO/X509) to realize the above > scenario. > > Is there any way to fit in the above verification setup as part of the > handshake? It will be of great help if anybody can provide me the pointers > in this regard. > > Thanks for your help in advance. > > Regards > Vijay ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
