Then don't return from the original SSL_CTX_set_verify callback until you either: a) receive a valid OCSP response that says it's okay, b) receive a valid OCSP response that says it's not okay, c) receive an invalid OCSP response (i.e., OCSP failure), or d) time out.
You're perilously close to a "chicken and egg" problem here: 1) You need the certificate to check 2) you cannot get the certificate to check until you attempt to make the connection 3) once you connect, you are stuck in a state machine where you haven't checked the certificate. Some browsers try to handle this kind of situation by scanning HTML for links and pre-loading them to the cache. These tend not to work all that well. If you're returning asynchronously, then you also need to have a mechanism to send asynchronous exceptions. Either that, or you have to make it synchronous until the OCSP response is returned. -Kyle H On Mon, Apr 13, 2009 at 2:35 PM, Vijay Kothamasu (vikotham) <vikot...@cisco.com> wrote: > Hi Kyle, > > Sorry for the delayed response, I am just back form my Vacation. > > Thank you so much for your response and the information provided. > > But even with the SSL_CTX_set_verify() callback invocation, the result of the > certificate validation need to be returned in the context of the callback > function itself in a synchronous manner. Where as in our scenario, the cert > validation status is reported back in an Asynchronous manner as I explained > earlier. > > I am just wondering how can I realize that scenario. > > Thanks again. > > Regards > Vijay > > > > > > -----Original Message----- > From: Kyle Hamilton [mailto:aerow...@gmail.com] > Sent: Tuesday, April 07, 2009 12:26 PM > To: openssl-users@openssl.org > Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham) > Subject: Re: Query on OpenSSL for Certificate verification > > This is a protocol called OCSP, with its "designated responder" mechanism. > > If you want to implement it, call the OCSP functions with the DR address and > the fields that OCSP needs during the SSL_CTX_set_verify() callback > invocation; if you really need to, create two separate SSL_CTX contexts, one > of which calls a function to check the certificate status, the other of which > always passes (so that the DR certificate doesn't need to be in the client's > local store). > > Note that I consider this insecure. First, the denial of service potential > (the DR goes down). Second, man-in-the-middle or redirection attacks (the DR > is replaced by a bogus one). Third, the entire point of X.509 is to allow > for clients to have all the information they need to verify certificates in > the absence of an online authority. > > For more information I suggest you read the cryptographic literature for the > protocols that exist. > > -Kyle H > > On Mon, Apr 6, 2009 at 8:18 AM, Vijay Kothamasu (vikotham) > <vikot...@cisco.com> wrote: >> Hi, >> >> I am just wondering if there is a way to realize the following >> scenario with the help of OpenSSL libraries, here is the brief explanation >> in this regard. >> >> --------------------------------- >> I have a client and Server who need to setup a secure connection using >> TLS/SSL. But as part of handshake Server sends its certificate to the >> Client. But Client doesn't have any certificates with it to >> Authenticate the certificate, rather it needs to communicate (a >> non-blocking call )with another entity(like Certificate Authority (CA) >> ) to get the certificate validated. This CA will look through its list >> of certificates to authenticate the it and inform back to the Client >> in an Asynchronous manner(may be some callback) that the certificate >> is valid. Now the Client will proceed further with the Server to >> complete the Handshake and setup the connection. >> >> Here is a pictorial description of this scenario for better clarity >> >> >> --------------------------------- >> >> I went through the available documentation, to the best of my >> understanding I couldn't find the library APIs(SSL/BIO/X509) to >> realize the above scenario. >> >> Is there any way to fit in the above verification setup as part of the >> handshake? It will be of great help if anybody can provide me the >> pointers in this regard. >> >> Thanks for your help in advance. >> >> Regards >> Vijay > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
