Hi Kyle, Sorry for the delayed response, I am just back form my Vacation.
Thank you so much for your response and the information provided. But even with the SSL_CTX_set_verify() callback invocation, the result of the certificate validation need to be returned in the context of the callback function itself in a synchronous manner. Where as in our scenario, the cert validation status is reported back in an Asynchronous manner as I explained earlier. I am just wondering how can I realize that scenario. Thanks again. Regards Vijay -----Original Message----- From: Kyle Hamilton [mailto:aerow...@gmail.com] Sent: Tuesday, April 07, 2009 12:26 PM To: openssl-users@openssl.org Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham) Subject: Re: Query on OpenSSL for Certificate verification This is a protocol called OCSP, with its "designated responder" mechanism. If you want to implement it, call the OCSP functions with the DR address and the fields that OCSP needs during the SSL_CTX_set_verify() callback invocation; if you really need to, create two separate SSL_CTX contexts, one of which calls a function to check the certificate status, the other of which always passes (so that the DR certificate doesn't need to be in the client's local store). Note that I consider this insecure. First, the denial of service potential (the DR goes down). Second, man-in-the-middle or redirection attacks (the DR is replaced by a bogus one). Third, the entire point of X.509 is to allow for clients to have all the information they need to verify certificates in the absence of an online authority. For more information I suggest you read the cryptographic literature for the protocols that exist. -Kyle H On Mon, Apr 6, 2009 at 8:18 AM, Vijay Kothamasu (vikotham) <vikot...@cisco.com> wrote: > Hi, > > I am just wondering if there is a way to realize the following > scenario with the help of OpenSSL libraries, here is the brief explanation in > this regard. > > --------------------------------- > I have a client and Server who need to setup a secure connection using > TLS/SSL. But as part of handshake Server sends its certificate to the > Client. But Client doesn't have any certificates with it to > Authenticate the certificate, rather it needs to communicate (a > non-blocking call )with another entity(like Certificate Authority (CA) > ) to get the certificate validated. This CA will look through its list > of certificates to authenticate the it and inform back to the Client > in an Asynchronous manner(may be some callback) that the certificate > is valid. Now the Client will proceed further with the Server to > complete the Handshake and setup the connection. > > Here is a pictorial description of this scenario for better clarity > > > --------------------------------- > > I went through the available documentation, to the best of my > understanding I couldn't find the library APIs(SSL/BIO/X509) to > realize the above scenario. > > Is there any way to fit in the above verification setup as part of the > handshake? It will be of great help if anybody can provide me the > pointers in this regard. > > Thanks for your help in advance. > > Regards > Vijay ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
